stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
docs/features/README.md Normal file
View File

@@ -0,0 +1,136 @@
# Feature Catalog
Structured inventory of all Stella Ops features, organized for E2E verification tracking.
Generated: 2026-02-08
## Summary
| Directory | Meaning | Count |
|-----------|---------|-------|
| `checked/` | Features verified by E2E tests | 0 |
| `unchecked/` | Implemented features needing E2E verification | 1,057 |
| `unimplemented/` | Partially implemented features | 99 |
| `dropped/` | Features not found in source code | 29 |
| **Total** | | **1,185** |
## How to Use
- **To verify a feature**: Pick a file from `unchecked/<module>/`, follow the E2E Test Plan, and if it passes, move the file to `checked/<module>/`.
- **To implement a missing feature**: Read a file from `unimplemented/<module>/`, review the "What's Missing" section, implement, then move to `unchecked/`.
- **To understand what was dropped**: Read files in `dropped/` for context on features that were planned but not implemented.
## Modules by Feature Count
### Large Modules (50+ features)
| Module | Unchecked | Unimplemented | Dropped | Total |
|--------|-----------|---------------|---------|-------|
| [Web](unchecked/web/) | 167 | 17 | 4 | 188 |
| [Attestor](unchecked/attestor/) | 153 | 27 | 2 | 182 |
| [Scanner](unchecked/scanner/) | 142 | 9 | 0 | 151 |
| [Cli](unchecked/cli/) | 97 | 7 | 0 | 104 |
| [Policy](unchecked/policy/) | 76 | 8 | 5 | 89 |
### Medium Modules (10-49 features)
| Module | Unchecked | Unimplemented | Dropped | Total |
|--------|-----------|---------------|---------|-------|
| [ReleaseOrchestrator](unchecked/releaseorchestrator/) | 44 | 1 | 0 | 45 |
| [BinaryIndex](unchecked/binaryindex/) | 41 | 2 | 0 | 43 |
| [Concelier](unchecked/concelier/) | 34 | 2 | 0 | 36 |
| [Libraries](unchecked/libraries/) | 24 | 2 | 1 | 27 |
| [Router](unchecked/router/) | 18 | 0 | 0 | 18 |
| [Excititor](unchecked/excititor/) | 17 | 0 | 1 | 18 |
| [Signals](unchecked/signals/) | 13 | 4 | 1 | 18 |
| [EvidenceLocker](unchecked/evidencelocker/) | 17 | 0 | 0 | 17 |
| [AdvisoryAI](unchecked/advisoryai/) | 15 | 1 | 1 | 17 |
| [Orchestrator](unchecked/orchestrator/) | 14 | 1 | 0 | 15 |
| [Authority](unchecked/authority/) | 12 | 1 | 0 | 13 |
| [AirGap](unchecked/airgap/) | 9 | 3 | 0 | 12 |
| [Tests](unchecked/tests/) | 11 | 0 | 2 | 13 |
| [Integrations](unchecked/integrations/) | 10 | 1 | 0 | 11 |
| [Zastava](unchecked/zastava/) | 9 | 1 | 0 | 10 |
### Small Modules (<10 features)
| Module | Unchecked | Unimplemented | Dropped | Total |
|--------|-----------|---------------|---------|-------|
| [Telemetry](unchecked/telemetry/) | 9 | 0 | 0 | 9 |
| [ReachGraph](unchecked/reachgraph/) | 7 | 2 | 0 | 9 |
| [Doctor](unchecked/doctor/) | 8 | 0 | 0 | 8 |
| [SbomService](unchecked/sbomservice/) | 7 | 1 | 0 | 8 |
| [Gateway](unchecked/gateway/) | 6 | 2 | 0 | 8 |
| [TaskRunner](unchecked/taskrunner/) | 7 | 0 | 0 | 7 |
| [VexLens](unchecked/vexlens/) | 6 | 0 | 1 | 7 |
| [Notifier](unchecked/notifier/) | 7 | 0 | 0 | 7 |
| [Findings](unchecked/findings/) | 7 | 0 | 0 | 7 |
| [Graph](unchecked/graph/) | 6 | 1 | 0 | 7 |
| [ExportCenter](unchecked/exportcenter/) | 6 | 1 | 0 | 7 |
| [Plugin](unchecked/plugin/) | 6 | 0 | 0 | 6 |
| [Platform](unchecked/platform/) | 6 | 0 | 0 | 6 |
| [Signer](unchecked/signer/) | 6 | 0 | 0 | 6 |
| [Cryptography](unchecked/cryptography/) | 5 | 0 | 1 | 6 |
| [Timeline](unchecked/timeline/) | 5 | 0 | 0 | 5 |
| [Tools](unchecked/tools/) | 4 | 0 | 0 | 4 |
| [Bench](unchecked/bench/) | 2 | 1 | 1 | 4 |
| [Scheduler](unchecked/scheduler/) | 3 | 0 | 0 | 3 |
| [RiskEngine](unchecked/riskengine/) | 2 | 0 | 1 | 3 |
| [Unknowns](unchecked/unknowns/) | 2 | 1 | 0 | 3 |
| [Replay](unchecked/replay/) | 2 | 1 | 0 | 3 |
### Single-Feature Modules
| Module | Status |
|--------|--------|
| [Aoc](unchecked/aoc/) | Unchecked |
| [Api](unchecked/api/) | Unchecked (2) |
| [Analyzers](unchecked/analyzers/) | Unchecked |
| [DevOps](unchecked/devops/) | Unchecked (2) |
| [DevPortal](unchecked/devportal/) | Unchecked |
| [Docs](unchecked/docs/) | Unchecked (2) |
| [Feedser](unchecked/feedser/) | Unchecked |
| [Mirror](unimplemented/mirror/) | Unimplemented |
| [PacksRegistry](unchecked/packsregistry/) | Unchecked |
| [Provenance](unimplemented/provenance/) | Unimplemented |
| [RuntimeInstrumentation](unchecked/runtimeinstrumentation/) | Unchecked |
| [Sdk](unchecked/sdk/) | Unchecked |
| [SmRemote](unchecked/smremote/) | Unchecked |
| [VulnExplorer](unchecked/vulnexplorer/) | Unchecked |
## File Format
Each feature file follows a standard template:
### Unchecked (IMPLEMENTED)
```
# Feature Name
## Module / ## Status / ## Description
## Implementation Details (key files, classes, services)
## E2E Test Plan (setup, action, verification steps)
```
### Unimplemented (PARTIALLY_IMPLEMENTED)
```
# Feature Name
## Module / ## Status / ## Description
## What's Implemented / ## What's Missing
## Implementation Plan
```
### Dropped (NOT_FOUND)
```
# Feature Name
## Status / ## Description
## Why Not Implemented / ## Source / ## Notes
```
## Source Data
This catalog was built from:
- 270 product advisories (Phase 1)
- 1,343 sprint archives (Phase 2)
- CLI + Web source code scan (Phase 3)
- Two deduplication passes reducing 1,600 entries to 1,185
See `FEATURE_CATALOG.md` in the repo root for the flat consolidated view.

0
docs/features/checked/.gitkeep Normal file
View File

22
docs/features/dropped/ci-lint-hook-for-implementor-guidelines.md Normal file
View File

@@ -0,0 +1,22 @@
# CI Lint Hook for Implementor Guidelines
## Status
NOT_FOUND
## Description
The advisory called for a CI lint hook stub to enforce guidelines (e.g., docs-touched tagging, schema/versioning control). No automated enforcement tooling was found.
## Why Not Implemented
- No CI lint hooks, pre-commit hooks, or automated enforcement tooling found under `.gitea/`, `devops/`, or `src/Tools/`
- CI workflows exist in `.gitea/workflows/` but focus on build/test/deploy, not implementor guideline enforcement
- No docs-touched tagging or schema versioning control automation found
- The repo uses `AGENTS.md` files for contributor guidance but enforcement is manual
- Likely deferred; CI lint hooks are typically a low-priority quality-of-life improvement
## Source
- Feature matrix scan
## Notes
- Module: Uncategorized
- Modules referenced: N/A
- Could live under `.gitea/hooks/` or `devops/scripts/` when implemented

33
docs/features/dropped/comparative-evidence-suppression-pattern-analysis.md Normal file
View File

@@ -0,0 +1,33 @@
# Comparative Evidence/Suppression Pattern Analysis
## Module
Attestor
## Status
PARTIALLY_IMPLEMENTED
## Description
Evidence and suppression patterns are implemented in the scanning and VEX override subsystems. The advisory was primarily a research/comparison document; its findings appear to have influenced the VEX override and evidence panel designs rather than producing a standalone feature.
## What's Implemented
- **VEX Override System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/` -- VexOverridePredicateBuilder, VexOverridePredicateParser, VexOverrideDecision, EvidenceReference -- provides structured suppression with evidence.
- **Audit Hash Logger**: `__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs` (with `.Validation`) -- audit logging for evidence and suppression actions.
- **Change Trace Attestation Service**: `ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` -- tracks changes including suppressions.
- **VEX Delta Tracking**: `Predicates/VexDeltaPredicate.cs`, `VexDeltaChange.cs`, `VexDeltaSummary.cs` -- tracks VEX status transitions.
## What's Missing
- **Cross-organization pattern analysis**: No service that compares suppression patterns across tenants or organizations to detect anomalous suppression rates.
- **Suppression pattern dashboard**: No UX component showing suppression trends, outliers, or comparative analysis against baselines.
- **Suppression quality scoring**: No scoring model that evaluates the quality/legitimacy of suppressions based on evidence strength.
- **Anomaly detection**: No automated detection of suspicious suppression patterns (e.g., bulk suppressions without evidence, suppressions of critical CVEs).
## Implementation Plan
- Design a suppression analytics service that aggregates suppression patterns
- Implement cross-tenant comparison with configurable baselines
- Add suppression quality scoring based on evidence reference count and type
- Build anomaly detection rules for suspicious suppression patterns
- Add dashboard UX components for suppression trend visualization
- Add tests for pattern analysis, scoring, and anomaly detection
## Related Documentation
- Source: See feature catalog

45
docs/features/dropped/dsse-gateway-traversal.md Normal file
View File

@@ -0,0 +1,45 @@
# DSSE Gateway Traversal (mTLS + provenance headers)
## Module
Scanner
## Status
PARTIALLY_IMPLEMENTED
## Description
HMAC-based DSSE envelope signing exists in the scanner worker for authenticating scan artifacts through gateway proxies. The feature envisions full mTLS gateway traversal with provenance headers injected by middleware, allowing scanner-to-registry and scanner-to-evidence-locker communication through reverse proxies (NGINX, Envoy, WAF) while maintaining attestation chain integrity.
## What's Implemented
- **HMAC DSSE Envelope Signing**:
- `src/Scanner/StellaOps.Scanner.Worker/Processing/Surface/HmacDsseEnvelopeSigner.cs` - `HmacDsseEnvelopeSigner` producing HMAC-signed DSSE envelopes for scan artifacts, providing integrity verification during transit through intermediary proxies
- **DSSE Signing Infrastructure**:
- `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.Verification.cs` - DSSE signature verification pipeline used downstream for validating signed envelopes
- `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs` - `DsseEnvelope` model representing Dead Simple Signing Envelope structures
- `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseSignature.cs` - `DsseSignature` model for individual signatures within envelopes
## What's Missing
- **Gateway Configuration**: No NGINX/Envoy/WAF gateway configuration templates or middleware for injecting provenance headers (X-Stella-Provenance, X-Stella-Scan-Id) into proxied requests
- **mTLS Certificate Management**: No scanner-specific mTLS certificate provisioning, rotation, or trust store configuration for gateway traversal
- **Provenance Header Middleware**: No ASP.NET Core middleware for reading/validating provenance headers on the receiving side (WebService, EvidenceLocker endpoints)
- **Gateway Health Probes**: No health check endpoints specifically designed for gateway liveness/readiness through proxy chains
- **Configuration Schema**: No structured configuration for declaring gateway topology (proxy chain depth, intermediate certificate authorities, header propagation rules)
## Implementation Plan
1. Create `GatewayProvenanceMiddleware` in `StellaOps.Scanner.WebService` that reads and validates X-Stella-Provenance headers from proxied requests
2. Create `MtlsCertificateProvider` in `StellaOps.Scanner.Worker` for provisioning and rotating scanner client certificates
3. Add gateway configuration templates (NGINX, Envoy) under `devops/` with provenance header injection rules
4. Extend `HmacDsseEnvelopeSigner` to embed gateway hop metadata in DSSE envelope payloads
5. Add integration tests verifying envelope integrity through simulated proxy chains
6. Add configuration schema for gateway topology in `StellaOps.Scanner.Core`
## E2E Test Plan
- [ ] Configure a scanner worker behind an NGINX reverse proxy and verify HMAC-signed DSSE envelopes are produced and transit successfully to the evidence locker
- [ ] Verify provenance headers (X-Stella-Provenance, X-Stella-Scan-Id) are injected by the gateway and validated by the receiving service
- [ ] Verify mTLS client certificate authentication between scanner worker and gateway proxy
- [ ] Verify DSSE envelope signature remains valid after traversing a multi-hop proxy chain (scanner -> proxy -> WAF -> service)
- [ ] Verify gateway health probes report correct status through the proxy chain
- [ ] Verify the system rejects requests with missing or tampered provenance headers
## Related Documentation
- Source: See feature catalog
- Architecture: `docs/modules/scanner/architecture.md`

25
docs/features/dropped/dsse-rekor-batch-size-benchmarking-tool.md Normal file
View File

@@ -0,0 +1,25 @@
# DSSE+Rekor Batch Size Benchmarking Tool (stella-attest-bench)
## Status
NOT_FOUND
## Description
The advisory proposed a dedicated CLI benchmarking tool (stella-attest-bench) to sweep DSSE envelope batch sizes against Rekor and determine optimal defaults. While the underlying DSSE and Rekor infrastructure exists, no dedicated benchmarking/experiment tool was implemented.
## Why Not Implemented
- No dedicated `stella-attest-bench` CLI tool found
- The underlying DSSE and Rekor infrastructure is fully implemented in `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`:
- `Signing/DsseEnvelope.cs`, `DsseSignature.cs` -- DSSE envelope support
- `Rekor/EnhancedRekorProofBuilder.Build.cs`, `EnhancedRekorProofBuilder.Validate.cs` -- Rekor integration
- `Rekor/RekorInclusionProof.cs` -- Rekor inclusion proofs
- The Bench module (`src/Bench/StellaOps.Bench/`) has benchmarking infrastructure (LinkNotMerge scenario runner, JSON/Prometheus reporting) but no DSSE batch size sweeping tool
- The Bench infrastructure (BenchmarkConfig, BenchmarkJsonWriter, PrometheusWriter) could serve as a foundation for a DSSE batch benchmark
- This is a low-priority optimization tool; the DSSE+Rekor pipeline works but batch size tuning requires a dedicated experiment harness
## Source
- Feature matrix scan
## Notes
- Module: Attestor
- Modules referenced: N/A
- Related: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/` (Rekor integration), `src/Bench/` (benchmarking infrastructure)

102
docs/features/dropped/ebpf-runtime-signal-integration.md Normal file
View File

@@ -0,0 +1,102 @@
# eBPF Runtime Signal Integration (Probe Management, Type Granularity, and Tier 5 Evidence)
## Module
Signals (with cross-module touchpoints in Scanner and Zastava)
## Status
PARTIALLY_IMPLEMENTED
## Description
eBPF signals library project exists with probe, parser, and enrichment infrastructure. Runtime signal ingestion is connected to the Unknowns module. The structure suggests it is in progress but not production-ready. This is the "Tier 5" runtime evidence layer complementing the existing Tiers 1-4 (static analysis, binary fingerprinting, SBOM-based evidence). Includes probe lifecycle management in Zastava and probe-type-aware confidence scoring in Scanner.
## What's Implemented
- **RuntimeSignalCollector**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs` -- collects runtime signals from eBPF probes
- **RuntimeEvidenceCollector**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeEvidenceCollector.cs` -- collects runtime evidence from eBPF events
- **CoreProbeLoader**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/CoreProbeLoader.cs` -- loads core eBPF probes
- **AirGapProbeLoader**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Probes/AirGapProbeLoader.cs` -- offline/air-gap compatible probe loading
- **EventParser**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Parsers/EventParser.cs` -- parses raw eBPF events into structured models
- **RuntimeEventEnricher**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Enrichment/RuntimeEventEnricher.cs` -- enriches runtime events with container/SBOM context
- **CgroupContainerResolver**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Cgroup/CgroupContainerResolver.cs` -- resolves cgroup paths to container identities
- **RuntimeEvidenceNdjsonWriter**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Output/RuntimeEvidenceNdjsonWriter.cs` -- writes evidence in NDJSON format
- **AttestorEvidenceChunkSigner**: `src/Signals/__Libraries/StellaOps.Signals.Ebpf/Signing/AttestorEvidenceChunkSigner.cs` -- signs evidence chunks for attestation
- **DotNetEventPipeAgent**: `src/Signals/StellaOps.Signals.RuntimeAgent/DotNetEventPipeAgent.cs` -- .NET EventPipe agent (production-ready for .NET)
- **Interfaces**: `IRuntimeSignalCollector`, `IEbpfProbeLoader`, `IContainerIdentityResolver`, `IContainerStateProvider`, `IImageDigestResolver`, `ISbomComponentProvider`
- **Scanner Runtime Trace Ingestion**: `src/Scanner/__Libraries/StellaOps.Scanner.Runtime/Ingestion/TraceIngestionService.cs` -- ingests runtime traces
- **Scanner Witness Infrastructure**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/RuntimeObservation.cs` -- runtime-observed function invocations (timestamp, function signature, process context), but currently without a ProbeType discriminator
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/PathWitness.cs` -- combines static call-graph paths with runtime observations
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessDsseSigner.cs` -- signs runtime witness predicates for attestation
- `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Witnesses/WitnessPredicateBuilder.cs` -- builds DSSE-signable witness predicates from runtime observations
- **Zastava Probe Manager**: `src/Zastava/StellaOps.Zastava.Observer/Probes/EbpfProbeManager.cs` -- implements `IProbeManager` and `IAsyncDisposable`; manages eBPF probe lifecycle with `OnContainerStartAsync`/stop hooks; uses `IRuntimeSignalCollector` and `ISignalPublisher`; tracks active probe handles via `ConcurrentDictionary<string, SignalCollectionHandle>`; configurable via `EbpfProbeManagerOptions`
## What's Missing
### Signals (core infrastructure)
- **Production-grade kernel probe deployment**: No production deployment automation (probe installation, lifecycle management, Helm charts, systemd units)
- **Kernel-level function entry/exit tracing**: No BTF-backed function entry/exit tracing with accurate call stacks at scale
- **Performance SLA compliance**: No benchmarking proving low overhead under production workload
- **Kernel version compatibility matrix**: No detection and fallback strategies for different kernel versions
- **Cross-platform runtime agents**: Beyond .NET (Java JVMTI, Go delve, Python sys.settrace, Node.js native) not yet built
- **Runtime backport detection**: No logic comparing runtime traces against known-patched function signatures
- **Integration testing**: No integration tests with multiple container runtimes (containerd, CRI-O, Podman)
- **Production monitoring**: No dashboards and alerting for probe health
### Scanner (probe type granularity)
- **ProbeType Enum**: No `ProbeType` enum (Kprobe, Uprobe, Tracepoint, Usdt, Fentry, RawTracepoint) defined on or associated with `RuntimeObservation`
- **Probe-Aware Confidence Scoring**: Reachability confidence scoring does not differentiate based on probe attachment type (e.g., uprobe on a specific function is higher fidelity than a kprobe on a syscall)
- **ProbeType Propagation**: The Signals.Ebpf pipeline does not tag observations with their originating probe type before forwarding to the scanner
- **Predicate Schema Update**: Witness DSSE predicates do not include probeType in their signed payload schema
### Zastava (probe lifecycle management)
- No tests for EbpfProbeManager
- No integration with the Observer's `ContainerLifecycleHostedService` to automatically attach/detach probes
- No eBPF probe configuration UI or CLI
- Limited probe types (needs expansion for different kernel hook points)
- No probe health monitoring or failure recovery
## Implementation Plan
### Phase 1: Core production readiness (Signals)
- Benchmark eBPF probe overhead in production-like environments with performance SLAs
- Implement kernel version detection and compatibility matrix with fallback strategies
- Add integration tests for containerd, CRI-O, and Podman container runtimes
- Implement probe lifecycle management (hot-reload, graceful degradation)
- Production deployment automation with Helm charts and systemd units
### Phase 2: Probe type granularity (Scanner)
1. Define `ProbeType` enum in `StellaOps.Scanner.Reachability/Witnesses/` with values: Kprobe, Uprobe, Tracepoint, Usdt, Fentry, RawTracepoint, Unknown
2. Add optional `ProbeType` property to `RuntimeObservation`
3. Update `Signals.Ebpf` pipeline to tag observations with their originating probe type
4. Update `WitnessPredicateBuilder` to include probeType in signed predicates
5. Update reachability confidence scoring to apply probe-type-aware weights (uprobe > tracepoint > kprobe)
### Phase 3: Probe management (Zastava)
- Add unit tests for EbpfProbeManager lifecycle (attach/detach/dispose)
- Integrate with ContainerLifecycleHostedService for automatic probe management
- Expand probe types for syscall, network, and filesystem observation
- Add probe health monitoring with automatic reattachment on failure
- Add CLI/API for probe configuration management
### Phase 4: Extended runtime agents
- Add runtime backport detection comparing traces against patched function signatures
- Implement cross-platform runtime agents for Java, Go, Python
- Add production monitoring dashboards and alerting
## E2E Test Plan
- [ ] Collect runtime observations from a uprobe-attached function and verify the ProbeType field is set to `Uprobe`
- [ ] Collect runtime observations from a kprobe-attached syscall and verify the ProbeType field is set to `Kprobe`
- [ ] Verify reachability confidence scoring assigns higher weight to uprobe observations than kprobe observations
- [ ] Verify the witness DSSE predicate payload includes the probeType field and the signature covers it
- [ ] Verify backward compatibility: observations without ProbeType default to `Unknown`
- [ ] Verify ProbeType is preserved through the full pipeline: eBPF collection -> signal forwarding -> scanner ingestion -> witness predicate -> reachability score
- [ ] Verify EbpfProbeManager attaches probes on container start and detaches on container stop
- [ ] Verify probe health monitoring detects failed probes and triggers reattachment
## Related Documentation
- Source: See feature catalog
- Architecture: `docs/modules/scanner/architecture.md`
## Merged From
- `signals/tier-5-runtime-trace-evidence.md` (previously merged)
- `scanner/ebpf-probe-type-granularity.md` (merged -- probe type granularity for scanner witness infrastructure)
- `zastava/ebpf-probe-manager.md` (merged -- eBPF probe lifecycle management in Zastava observer)

52
docs/features/dropped/ecosystem-reality-acceptance-test-fixtures.md Normal file
View File

@@ -0,0 +1,52 @@
# Ecosystem Reality Acceptance Test Fixtures
## Module
Scanner
## Status
PARTIALLY_IMPLEMENTED
## Description
Maps five specific real-world production incidents (credential leak, offline DB schema mismatch, SBOM parity drift, scanner instability, ecosystem-specific SCA failure) into deterministic acceptance test fixtures. Each fixture reproduces the incident scenario end-to-end with frozen inputs and expected outputs, ensuring the scanner does not regress on previously observed production failures.
## What's Implemented
- **SCA Failure Catalogue**:
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/` - Node.js SCA test fixtures covering package resolution edge cases
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/` - Ruby SCA test fixtures covering Gemfile.lock parsing
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/` - Java SCA test fixtures covering Maven/Gradle dependency resolution
- **SmartDiff Golden Fixtures**:
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/` - Deterministic golden fixture tests for diff-aware rescanning, covering expected SBOM delta outputs
- **Determinism Infrastructure**:
- Existing test projects use frozen fixture files (JSON SBOMs, lock files, manifest files) as inputs with expected output assertions
## What's Missing
- **Incident-to-Test Mapping**: No structured mapping from five specific real-world incidents to dedicated test fixtures:
1. **Credential Leak Incident**: No fixture reproducing a secret detection false-negative that led to a credential leak in production
2. **Offline DB Schema Mismatch**: No fixture reproducing scanner behavior when the offline vulnerability database schema version mismatches the scanner version
3. **SBOM Parity Drift**: No fixture reproducing divergence between container-scanned SBOM and source-scanned SBOM for the same artifact
4. **Scanner Instability**: No fixture reproducing non-deterministic scanner output across repeated scans of the same image layer
5. **Ecosystem SCA Failure**: No fixture reproducing ecosystem-specific SCA resolution failures (e.g., npm optional dependency with missing platform binary)
- **Incident Metadata**: No `incident.metadata.json` files linking each fixture to its originating production incident (date, severity, root cause, fix)
- **Acceptance Test Runner**: No dedicated CI job or test category for running ecosystem reality acceptance tests separately from unit tests
## Implementation Plan
1. Create `src/Scanner/__Tests/StellaOps.Scanner.EcosystemReality.Tests/` project with five incident fixture directories
2. For each incident, create: `incident.metadata.json` (date, severity, root cause), frozen input fixtures, expected output assertions
3. Implement credential leak fixture using a container layer with an embedded secret that was previously missed
4. Implement offline DB schema mismatch fixture with mismatched vuln-db schema version headers
5. Implement SBOM parity drift fixture with container vs. source scan inputs producing divergent SBOMs
6. Implement scanner instability fixture verifying byte-identical output across 10 repeated scans
7. Implement ecosystem SCA failure fixture with npm optional dependency edge case
8. Add CI job category `ecosystem-reality` for running these acceptance tests
## E2E Test Plan
- [ ] Run the credential leak incident fixture and verify the scanner now detects the previously-missed embedded secret in the container layer
- [ ] Run the offline DB schema mismatch fixture and verify the scanner produces a clear error or graceful degradation when vuln-db schema version does not match
- [ ] Run the SBOM parity drift fixture and verify the scanner flags divergence between container-scanned and source-scanned SBOMs for the same artifact
- [ ] Run the scanner instability fixture and verify byte-identical SBOM output across 10 repeated scans of the same frozen image layer
- [ ] Run the ecosystem SCA failure fixture and verify correct handling of npm optional dependencies with missing platform binaries
- [ ] Verify each fixture includes incident.metadata.json with date, severity, root cause, and link to the originating production incident
## Related Documentation
- Source: See feature catalog
- Architecture: `docs/modules/scanner/architecture.md`

35
docs/features/dropped/evidence-ttl-and-staleness-policy.md Normal file
View File

@@ -0,0 +1,35 @@
# Evidence TTL and staleness policy
## Module
Signals
## Status
PARTIALLY_IMPLEMENTED
## Description
Retention options and lifecycle services exist for evidence expiry, but the advisory noted TTL strategy at 50% coverage.
## What's Implemented
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals/Options/`
- **Key Classes**:
- `UnknownsDecayService` (`src/Signals/StellaOps.Signals/Services/UnknownsDecayService.cs`) - applies decay to stale unknown findings (related TTL behavior)
- `UnknownsDecayOptions` (`src/Signals/StellaOps.Signals/Options/UnknownsDecayOptions.cs`) - configurable decay/TTL thresholds
- `NightlyDecayWorker` (`src/Signals/StellaOps.Signals/Services/NightlyDecayWorker.cs`) - scheduled worker for TTL processing
- **Source**: Feature matrix scan
## What's Missing
- Comprehensive evidence TTL policy engine covering all evidence types (callgraph, runtime, SBOM correlation, attestation)
- Per-evidence-type configurable TTL with different retention periods
- Staleness detection that marks evidence as stale before hard expiry
- Automated evidence archival workflow (move to cold storage before deletion)
- TTL policy dashboard showing evidence age distribution and upcoming expirations
## Implementation Plan
- Implement `EvidenceTtlPolicyEngine` with per-type configurable retention periods
- Add staleness detection service that marks evidence nearing TTL as stale
- Implement evidence archival pipeline for cold storage migration
- Add TTL policy configuration UI and monitoring dashboard
- Extend `NightlyDecayWorker` to handle evidence expiry across all evidence types
## Related Documentation
- Source: See feature catalog

34
docs/features/dropped/golden-benchmark-fixtures.md Normal file
View File

@@ -0,0 +1,34 @@
# Golden Benchmark Fixtures (Core-10)
## Status
PARTIALLY_IMPLEMENTED
## Description
The advisory describes 10 golden reachability benchmark fixtures (C, Java, .NET, Python, container), but no pre-built fixture datasets were found in the source tree. The ReachGraph service infrastructure exists but the specific Core-10 fixture data files are not present.
## Module
Bench
## What's Implemented
- **Multi-runtime corpus**: `src/__Tests/reachability/corpus/` (5 runtimes: dotnet, go, java, python, rust)
- **Additional VEX corpus**: `src/tests/reachability/corpus/` (4 runtimes with OpenVEX files)
- **Expanded benchmarks**: `src/__Tests/reachability/fixtures/reachbench-2025-expanded/`
- **Patch oracles**: `src/__Tests/reachability/fixtures/patch-oracles/`
- **PoE fixtures**: `src/__Tests/reachability/PoE/Fixtures/`
- **Scoring golden corpus**: `src/__Tests/__Benchmarks/golden-corpus/` (VEX scenarios and severity levels)
- **Fixture harvester tool**: `src/__Tests/Tools/FixtureHarvester/SbomGoldenCommand.cs`
- **Corpus management scripts**: `src/__Tests/reachability/scripts/update_corpus_manifest.py`
- **Fixture tests**: `src/__Tests/reachability/StellaOps.Reachability.FixtureTests/`
## What's Missing
- The exact advisory-specified "Core-10" named fixture set (10 specific golden reachability benchmark fixtures covering C, Java, .NET, Python, container)
- Formal Core-10 naming convention and documentation
- C runtime reachability corpus (only dotnet, go, java, python, rust present)
## Implementation Plan
- Audit existing fixtures against the Core-10 specification from the advisory
- Add C runtime corpus if required
- Formalize Core-10 naming and documentation
## Source
- Feature matrix scan

39
docs/features/dropped/metrics-for-attestation-coverage-and-time-to-evidence.md Normal file
View File

@@ -0,0 +1,39 @@
# Metrics for attestation coverage and time-to-evidence
## Module
Unknowns
## Status
PARTIALLY_IMPLEMENTED
## Description
Some metrics services exist but the advisory noted metrics coverage at only 30%.
## What's Implemented
- **Unknowns Metrics Service**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsMetricsService.cs` -- exposes basic Prometheus/OpenTelemetry metrics for the unknowns queue including queue depth, resolution counts, and SLA breach counts.
- **Unknowns SLA Monitor Service**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsSlaMonitorService.cs` -- monitors SLA compliance for unknown resolution timelines, providing partial time-to-evidence tracking for the unknowns domain.
- **Unknowns SLA Health Check**: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsSlaHealthCheck.cs` -- health check endpoint reporting unknowns SLA status, contributing to observability but not comprehensive attestation coverage metrics.
- **Unknown Ranking Model**: `src/Unknowns/__Libraries/StellaOps.Unknowns.Core/Models/UnknownRanking.cs` -- ranking model that includes priority scoring which could inform metrics prioritization.
## What's Missing
- **Attestation Coverage Metrics**: No metrics track what percentage of release artifacts have complete attestation chains. The unknowns metrics cover queue health but not attestation completeness across the entire pipeline (e.g., "X% of images have SBOM + VEX + provenance attestations").
- **Time-to-Evidence Metrics**: No end-to-end time-to-evidence metric exists tracking the duration from vulnerability discovery to complete evidence availability (scanner result -> reachability analysis -> VEX decision -> attestation). The SLA monitor tracks unknowns resolution time but not the broader evidence pipeline.
- **Per-Provider Coverage Breakdown**: No metrics break down attestation coverage by provider/scanner (e.g., "Trivy provides SBOM for 95% of images, reachability analysis covers 60%").
- **Evidence Freshness Metrics**: No metrics track evidence staleness (e.g., "SBOM is 30 days old, VEX decision is 7 days old") across the artifact estate.
- **Dashboard Integration**: No pre-built Grafana dashboards or Web UI panels exist for visualizing attestation coverage and time-to-evidence trends.
- **Cross-Module Metrics Aggregation**: Metrics are siloed per module (Unknowns, Attestor, EvidenceLocker); no aggregation layer combines them into a unified attestation coverage view.
## Implementation Plan
- Define attestation coverage metrics: per-artifact attestation completeness (SBOM present, VEX present, provenance present, reachability analysis present)
- Implement a metrics aggregation service that queries Attestor, EvidenceLocker, and Unknowns to compute estate-wide attestation coverage percentages
- Add time-to-evidence histogram metrics tracking the duration from vulnerability publication to complete evidence chain availability
- Add per-provider coverage breakdown metrics
- Add evidence freshness metrics (age of latest SBOM, VEX, provenance per artifact)
- Build Grafana dashboard templates for attestation coverage and time-to-evidence visualization
- Target: increase metrics coverage from 30% to 90%+ of the advisory specification
## Related Documentation
- Unknowns metrics: `src/Unknowns/StellaOps.Unknowns.Services/UnknownsMetricsService.cs`
- Attestor proof chain: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`
- Evidence locker: `src/EvidenceLocker/`
- VexLens (VEX processing): `src/VexLens/`

41
docs/features/dropped/mi10-theme-contrast-guidance.md Normal file
View File

@@ -0,0 +1,41 @@
# MI10 - Theme/Contrast Guidance (Light/Dark/HC Tokens)
## Module
Web
## Status
PARTIALLY_IMPLEMENTED
## Description
Color tokens and focus ring styles exist. Theme transition utilities are implemented. However, the specific theming doc `docs/modules/ui/micro-theme.md` and explicit HC (high-contrast) mode tokens with 4.5:1/3:1 contrast validation were not found as standalone artifacts.
## What's Implemented
- Color tokens and focus ring styles exist in the Angular codebase
- Theme transition utilities are implemented
- Dark mode support exists
## What's Missing
- **High-contrast (HC) mode tokens**: No dedicated HC theme with WCAG 4.5:1 (normal text) and 3:1 (large text/icons) validated contrast ratios
- **Theme specification document**: No `docs/modules/ui/micro-theme.md` formalizing the light/dark/HC token sets
- **Contrast validation tooling**: No automated CI check validating contrast ratios across all color tokens
- **HC mode toggle**: No user-facing toggle for high-contrast mode in settings
## Implementation Plan
- Create HC theme token set with WCAG-validated contrast ratios
- Add contrast ratio validation CI check using color-contrast tooling
- Add HC mode toggle to user settings
- Document theme tokens in `docs/modules/ui/micro-theme.md`
## E2E Test Plan
- **Setup**:
- [ ] Log in with a user that has appropriate permissions
- [ ] Navigate to the relevant page/section where this feature appears
- [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
- **Core verification**:
- [ ] Verify the component renders correctly with sample data
- [ ] Verify interactive elements respond to user input
- [ ] Verify data is fetched and displayed from the correct API endpoints
- **Edge cases**:
- [ ] Verify graceful handling when backend API is unavailable (error state)
- [ ] Verify responsive layout at different viewport sizes
- [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

53
docs/features/dropped/mi4-error-cancel-undo-patterns.md Normal file
View File

@@ -0,0 +1,53 @@
# MI4 - Error/Cancel/Undo Patterns (Snackbar/Toast with Undo)
## Module
Web
## Status
PARTIALLY_IMPLEMENTED
## Description
i18n keys for toast/undo/undoCountdown patterns exist and snackbar usage is present across components. However, a dedicated centralized snackbar/toast service with the specific 8s undo window and aria-live=polite pattern was not found as a standalone component.
## What's Implemented
- **Existing components**:
- `accordion` (`src/Web/StellaOps.Web/src/app/shared/components/accordion/accordion.component.ts`)
- `ai-assist-panel` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-assist-panel.component.ts`)
- `ai-authority-badge` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-authority-badge.component.ts`)
- `ai-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-chip.component.ts`)
- `ai-explain-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-explain-chip.component.ts`)
- `ai-exploitability-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-exploitability-chip.component.ts`)
- `ai-fix-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-fix-chip.component.ts`)
- `ai-needs-evidence-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-needs-evidence-chip.component.ts`)
- `ai-summary` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-summary.component.ts`)
- `ai-vex-draft-chip` (`src/Web/StellaOps.Web/src/app/shared/components/ai/ai-vex-draft-chip.component.ts`)
- **Existing services**:
- `replay` (`src/Web/StellaOps.Web/src/app/shared/components/reproduce/replay.service.ts`)
- `graph-export` (`src/Web/StellaOps.Web/src/app/shared/services/graph-export.service.ts`)
- `plain-language` (`src/Web/StellaOps.Web/src/app/shared/services/plain-language.service.ts`)
## What's Missing
- **Centralized snackbar/toast service**: No centralized `ToastService` with the specific 8-second undo window, countdown timer, and `aria-live=polite` pattern
- **Undo action infrastructure**: i18n keys for `toast.undo` and `undoCountdown` exist but no centralized undo action queue that buffers destructive operations for the undo window
- **Cancel pattern standardization**: No consistent cancel pattern across all modal/drawer interactions (some modals lack cancel confirmation for dirty forms)
- **Error boundary component**: No centralized error boundary component that catches and displays user-friendly errors with retry actions
## Implementation Plan
- Create centralized `ToastService` with undo support, 8s countdown, and `aria-live=polite`
- Implement undo action queue for buffering destructive operations
- Standardize cancel patterns across modals and drawers
- Add error boundary component with retry actions
## E2E Test Plan
- **Setup**:
- [ ] Log in with a user that has appropriate permissions
- [ ] Navigate to the relevant page/section where this feature appears
- [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
- **Core verification**:
- [ ] Verify the component renders correctly with sample data
- [ ] Verify interactive elements respond to user input
- [ ] Verify data is fetched and displayed from the correct API endpoints
- **Edge cases**:
- [ ] Verify graceful handling when backend API is unavailable (error state)
- [ ] Verify responsive layout at different viewport sizes
- [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

47
docs/features/dropped/mi5-performance-budgets.md Normal file
View File

@@ -0,0 +1,47 @@
# MI5 - Performance Budgets (Interaction Response, Animation Frame, LCP)
## Module
Web
## Status
PARTIALLY_IMPLEMENTED
## Description
Lighthouse CI config exists for performance monitoring. Specific interaction response <=100ms, frame budget 16ms, and layout shift <0.05 budgets were not found as explicitly configured thresholds in test fixtures.
## What's Implemented
- **Existing components**:
- `extension-slot` (`src/Web/StellaOps.Web/src/app/core/plugins/extension-slots/extension-slot.component.ts`)
- **Existing services**:
- `evidence-panel-metrics` (`src/Web/StellaOps.Web/src/app/core/analytics/evidence-panel-metrics.service.ts`)
- `gateway-metrics` (`src/Web/StellaOps.Web/src/app/core/api/gateway-metrics.service.ts`)
- `policy-interop` (`src/Web/StellaOps.Web/src/app/core/api/policy-interop.service.ts`)
- `reachability-integration` (`src/Web/StellaOps.Web/src/app/core/api/reachability-integration.service.ts`)
- `vuln-export-orchestrator` (`src/Web/StellaOps.Web/src/app/core/api/vuln-export-orchestrator.service.ts`)
## What's Missing
- **Interaction response budget**: No explicitly configured <=100ms interaction response threshold in test fixtures or CI checks
- **Animation frame budget**: No configured 16ms frame budget validation for animations
- **Layout shift budget**: No configured <0.05 CLS (Cumulative Layout Shift) threshold enforcement
- **LCP budget**: No Largest Contentful Paint budget configured in Lighthouse CI or performance tests
- **Performance regression CI gate**: Lighthouse CI config exists but no CI gate failing builds on budget violations
## Implementation Plan
- Configure Lighthouse CI budgets: interaction <=100ms, frame 16ms, CLS <0.05, LCP <2.5s
- Add performance regression CI gate failing on budget violations
- Add `evidence-panel-metrics.service.ts` integration with performance budgets for key user flows
- Document performance budgets in frontend architecture docs
## E2E Test Plan
- **Setup**:
- [ ] Log in with a user that has appropriate permissions
- [ ] Navigate to the relevant page/section where this feature appears
- [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
- **Core verification**:
- [ ] Verify the component renders correctly with sample data
- [ ] Verify interactive elements respond to user input
- [ ] Verify data is fetched and displayed from the correct API endpoints
- **Edge cases**:
- [ ] Verify graceful handling when backend API is unavailable (error state)
- [ ] Verify responsive layout at different viewport sizes
- [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

22
docs/features/dropped/mi7-telemetry-schema-for-ui-micro-events.md Normal file
View File

@@ -0,0 +1,22 @@
# MI7 - Telemetry Schema for ui.micro.* Events
## Status
NOT_FOUND
## Description
The ui.micro telemetry JSON schema and associated unit test validator were not found. Triage-specific telemetry exists but the generic micro-interaction telemetry schema is missing.
## Why Not Implemented
- No `ui.micro.*` telemetry JSON schema found in `src/Web/` or `docs/`
- No dedicated micro-interaction telemetry event system found in the Web UI source
- The Telemetry module (`src/Telemetry/StellaOps.Telemetry.Core/`) tracks backend metrics (Time-to-Evidence, attestation metrics, scan completion) but not frontend UI micro-events
- The Web UI does not appear to have an instrumented event bus for tracking fine-grained user interactions
- This was a documentation + schema deliverable; the generic telemetry infrastructure exists but the UI-specific micro-event schema was never defined
## Source
- Feature matrix scan
## Notes
- Module: Web
- Modules referenced: `src/Web`
- Related: `src/Telemetry/` (backend telemetry infrastructure)

40
docs/features/dropped/mi8-deterministic-seeds-snapshots.md Normal file
View File

@@ -0,0 +1,40 @@
# MI8 - Deterministic Seeds/Snapshots (Fixed RNG, Frozen Timestamps)
## Module
Web
## Status
PARTIALLY_IMPLEMENTED
## Description
Deterministic fixture files exist for testing. Storybook preview is configured. However, specific chromatic.disableAnimation parameters and fixed seed exports from a `micro-fixtures.ts` file were not verified.
## What's Implemented
- **Existing services**:
- `determinization` (`src/Web/StellaOps.Web/src/app/core/services/determinization/determinization.service.ts`)
## What's Missing
- **Fixed RNG seed exports**: No `micro-fixtures.ts` file exporting deterministic seed values for Storybook stories and tests
- **Frozen timestamps**: No globally-configurable frozen timestamp provider for deterministic date rendering in snapshots
- **chromatic.disableAnimation**: Storybook preview may not have `chromatic.disableAnimation` configured for consistent visual regression snapshots
- **Deterministic service integration**: `determinization.service.ts` exists but its usage across all Storybook stories for reproducible snapshots is not confirmed
## Implementation Plan
- Create `micro-fixtures.ts` with exported seed values and frozen timestamp provider
- Configure `chromatic.disableAnimation` in Storybook preview config
- Wire `determinization.service.ts` into all Storybook stories for reproducible rendering
- Add documentation for deterministic snapshot patterns
## E2E Test Plan
- **Setup**:
- [ ] Log in with a user that has appropriate permissions
- [ ] Navigate to the relevant page/section where this feature appears
- [ ] Ensure test data exists (scanned artifacts, SBOM data, or seed data as needed)
- **Core verification**:
- [ ] Verify the component renders correctly with sample data
- [ ] Verify interactive elements respond to user input
- [ ] Verify data is fetched and displayed from the correct API endpoints
- **Edge cases**:
- [ ] Verify graceful handling when backend API is unavailable (error state)
- [ ] Verify responsive layout at different viewport sizes
- [ ] Verify accessibility (keyboard navigation, screen reader labels, ARIA attributes)

30
docs/features/dropped/mirror-dsse-revision-contract.md Normal file
View File

@@ -0,0 +1,30 @@
# Mirror DSSE Revision Contract
## Module
AirGap
## Status
PARTIALLY_IMPLEMENTED
## Description
Defines the DSSE signing contract revision for mirror bundles, specifying envelope format, digest algorithm choices, and manifest inclusion rules for air-gapped import verification. Implementation is coordination-level (docs + scripts).
## What's Implemented
- DSSE envelope signing/verification infrastructure: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs`, `DsseSignature.cs`
- DSSE verification step: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/DsseSignatureVerificationStep.cs`
- Importer DSSE parsing: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/DsseAttestationParser.cs`
- Bundle library with manifest support: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/`
- SPDX3 DSSE signing: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.*.cs`
- Source: SPRINT_0150_0001_0001_mirror_dsse.md
## What's Missing
- The mirror-specific DSSE revision contract (specifying envelope format, digest algorithm choices, manifest inclusion rules for mirror bundles specifically) may need formalization as a versioned contract document
- Mirror-specific DSSE tests are referenced in TASKS.md files but may not be complete
## Implementation Plan
- Formalize mirror DSSE contract as versioned specification
- Add mirror-specific DSSE validation tests
- Verify digest algorithm choices are consistent across mirror pipeline
## Related Documentation
- Source: SPRINT_0150_0001_0001_mirror_dsse.md

31
docs/features/dropped/mirror-orchestrator-hook-event.md Normal file
View File

@@ -0,0 +1,31 @@
# Mirror Orchestrator Hook Event (mirror.ready)
## Module
AirGap
## Status
PARTIALLY_IMPLEMENTED
## Description
Defines the mirror.ready event payload {bundleId, generation, generatedAt, dsseDigest, manifestDigest, location} with optional rekorUUID, enabling CLI and export automation to consume mirror bundle readiness notifications.
## What's Implemented
- AirGap controller with event hooks: `src/AirGap/StellaOps.AirGap.Controller/` -- state management and endpoints
- Time hooks: `src/AirGap/StellaOps.AirGap.Time/Hooks/` -- event hooks for time-related operations
- Bundle catalog model: `src/AirGap/StellaOps.AirGap.Importer/Models/BundleCatalogEntry.cs`, `BundleItem.cs` -- bundle metadata with ID, generation, timestamps
- Sync library: `src/AirGap/__Libraries/StellaOps.AirGap.Sync/` -- bundle synchronization infrastructure
- Source: SPRINT_0150_0001_0003_mirror_orch.md
## What's Missing
- The specific `mirror.ready` event with payload `{bundleId, generation, generatedAt, dsseDigest, manifestDigest, location}` may not be formalized as a named event
- CLI/export automation consumption of mirror readiness notifications needs verification
- Optional `rekorUUID` field in event payload needs confirmation
## Implementation Plan
- Define `mirror.ready` event type in eventing system
- Implement event publication when mirror bundle is ready
- Add CLI hook for consuming mirror.ready events
- Add tests for event payload validation
## Related Documentation
- Source: SPRINT_0150_0001_0003_mirror_orch.md

23
docs/features/dropped/multi-scanner-comparative-benchmarking.md Normal file
View File

@@ -0,0 +1,23 @@
# Multi-scanner Comparative Benchmarking
## Status
NOT_FOUND
## Description
Advisory describes a benchmarking protocol comparing StellaOps scan results against Trivy/Grype/Snyk with precision/recall metrics. No CLI comparison tool or benchmark harness found.
## Why Not Implemented
- No dedicated CLI comparison tool or multi-scanner benchmark harness found
- A `compare.py` script exists at `src/__Tests/__Benchmarks/tools/compare.py` but it appears to be a general comparison utility, not a full multi-scanner benchmarking protocol
- The Bench module (`src/Bench/`) has benchmarking infrastructure (LinkNotMerge scenarios, Prometheus reporting) but not scanner comparison harnesses
- Golden corpus exists at `src/__Tests/__Benchmarks/golden-corpus/` with VEX scenarios and severity levels, which could serve as ground truth for scanner comparison
- The Scanner module has its own benchmark and test infrastructure but does not compare against external scanners (Trivy/Grype/Snyk)
- This would require external scanner integration which conflicts with the offline-first posture
## Source
- Feature matrix scan
## Notes
- Module: Bench
- Modules referenced: N/A
- Related: `src/__Tests/__Benchmarks/tools/compare.py` (comparison utility), `src/__Tests/__Benchmarks/golden-corpus/` (ground truth data)

37
docs/features/dropped/playbook-learning.md Normal file
View File

@@ -0,0 +1,37 @@
# Playbook Learning (Run-to-Patch Pipeline)
## Module
AdvisoryAI
## Status
PARTIALLY_IMPLEMENTED
## Description
Run artifacts and evidence bundles support playbook-related data, but dedicated playbook learning, patch proposal generation, and versioned playbook management are not fully distinct modules yet.
## What's Implemented
- **Run tracking infrastructure**: `RunService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/RunService.cs`) tracks runs with artifacts and events
- **Run models**: `Run`, `RunArtifact`, `RunEvent` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/Models/`) capture run outcomes
- **Run storage**: `InMemoryRunStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/InMemoryRunStore.cs`) persists run data
- **Evidence bundle assembly**: `EvidenceBundleAssembler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/EvidenceBundleAssembler.cs`) assembles evidence packs from data providers
- **Remediation planning**: `AiRemediationPlanner` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/AiRemediationPlanner.cs`) generates fix plans
- **PR generation**: `GitHubPullRequestGenerator`, `GitLabMergeRequestGenerator`, `AzureDevOpsPullRequestGenerator` create PRs from remediation plans
- **Run API endpoints**: `RunEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/RunEndpoints.cs`) exposes run data
- **Advisory output persistence**: `AdvisoryOutputStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Outputs/AdvisoryOutputStore.cs`), `FileSystemAdvisoryOutputStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/FileSystemAdvisoryOutputStore.cs`)
## What's Missing
- **Playbook learning engine**: No dedicated module that analyzes past run outcomes to learn optimal remediation patterns and build reusable playbooks
- **Versioned playbook management**: No playbook versioning, publishing, or catalog system for sharing learned remediation workflows
- **Patch proposal generation**: No automated system that generates patch proposals by combining learned patterns from successful past remediations
- **Feedback loop learning**: No mechanism to feed PR merge/reject outcomes back into the learning engine to improve future recommendations
- **Playbook template library**: No library of reusable playbook templates (e.g., "upgrade-npm-dependency", "patch-container-base-image") with parameterization
## Implementation Plan
- Build a playbook learning engine that analyzes successful `Run` outcomes from `RunService`/`InMemoryRunStore`
- Add versioned playbook model with CRUD operations and a catalog API
- Implement patch proposal generation by matching current vulnerabilities against learned playbook patterns
- Add feedback loop from SCM connectors (PR merge/reject events) back to the learning engine
- Create a playbook template library with parameterized remediation workflows
## Related Documentation
- Source: Feature matrix scan

23
docs/features/dropped/proof-market-ledger-and-adaptive-trust-economics.md Normal file
View File

@@ -0,0 +1,23 @@
# Proof-Market Ledger and Adaptive Trust Economics
## Status
NOT_FOUND
## Description
No implementation of a proof marketplace or adaptive trust economics model was found in the source code.
## Why Not Implemented
- No proof marketplace, trust economics model, or adaptive trust ledger found anywhere in `src/`
- No `ProofMarket`, `TrustEconomics`, or `TrustLedger` modules, namespaces, or classes exist
- The proof chain system (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/`) provides cryptographic proof generation and verification but not a marketplace or economic model
- The trust verdict system tracks trust levels but not economics
- This appears to be a research/vision concept with no implementation started
- Likely deferred indefinitely as it requires novel research into trust economics
## Source
- Feature matrix scan
## Notes
- Module: Uncategorized
- Modules referenced: N/A
- This is a forward-looking research concept, not a near-term engineering deliverable

37
docs/features/dropped/runtime-trace-merge.md Normal file
View File

@@ -0,0 +1,37 @@
# Runtime trace merge (eBPF/ETW observed edges)
## Module
Signals
## Status
PARTIALLY_IMPLEMENTED
## Description
Runtime facts ingestion and provenance normalization exist, but full eBPF/ETW trace integration appears to be at the synthetic probe level rather than production-grade runtime tracing.
## What's Implemented
- **Modules**: `src/Signals/StellaOps.Signals/Services/`, `src/Signals/StellaOps.Signals.RuntimeAgent/`, `src/Signals/__Libraries/StellaOps.Signals.Ebpf/`
- **Key Classes**:
- `RuntimeFactsIngestService` (`src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs`) - ingests runtime facts from agents
- `SyntheticRuntimeProbeBuilder` (`src/Signals/StellaOps.Signals/Services/SyntheticRuntimeProbeBuilder.cs`) - builds synthetic runtime probes for testing reachability
- `ProcSnapshotDocument` (`src/Signals/StellaOps.Signals/Models/ProcSnapshotDocument.cs`) - process snapshot model for runtime state capture
- `ReachabilityLattice` (`src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs`) - merge logic for combining static and runtime evidence
- `RuntimeSignalCollector` (`src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs`) - eBPF-based runtime signal collection (experimental)
- **Source**: Feature matrix scan
## What's Missing
- Production-grade eBPF trace merging with static callgraph edges
- ETW (Event Tracing for Windows) trace collection and merge
- Conflict resolution when runtime traces contradict static analysis
- Runtime trace deduplication across multiple collection windows
- Performance profiling of trace merge under high-volume runtime data
## Implementation Plan
- Implement runtime-to-static edge merge algorithm with conflict resolution strategies
- Add ETW trace collection agent for Windows container environments
- Implement trace deduplication with temporal windowing
- Benchmark merge performance and optimize for high-throughput runtime streams
- Add integration tests for eBPF and ETW trace merge scenarios
## Related Documentation
- Source: See feature catalog

54
docs/features/dropped/scanner-deterministic-regression-test-framework.md Normal file
View File

@@ -0,0 +1,54 @@
# Scanner Deterministic Regression Test Framework
## Module
Scanner
## Status
PARTIALLY_IMPLEMENTED
## Description
A structured regression test framework with standardized case layout, golden fixture comparison, and dedicated CI job. Each regression case is identified by `SCN-XXXX-slug`, contains frozen inputs and expected outputs, and uses byte-level comparison to detect scanner output drift.
## What's Implemented
- **Existing Determinism Tests**:
- `src/Scanner/__Tests/StellaOps.Scanner.SmartDiff.Tests/` - Golden fixture tests for SmartDiff comparing actual vs. expected SBOM deltas with frozen inputs
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Node.Tests/` - Deterministic language analyzer tests with frozen package.json/lock files
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Ruby.Tests/` - Deterministic Ruby analyzer tests with frozen Gemfile.lock fixtures
- `src/Scanner/__Tests/StellaOps.Scanner.Analyzers.Lang.Java.Tests/` - Deterministic Java analyzer tests with frozen pom.xml/build.gradle fixtures
- **Reachability Tests**:
- `src/Scanner/__Tests/StellaOps.Scanner.Reachability.Tests/` - Reachability analysis tests with frozen call-graph fixtures and expected classification outputs
- **Test Infrastructure**:
- Existing test projects demonstrate the golden fixture pattern (frozen input -> run analyzer -> compare against expected output) but each project uses its own ad-hoc fixture layout
## What's Missing
- **Standardized Case Layout**: No `Regression/` directory with `SCN-XXXX-slug/` subdirectories containing:
- `case.metadata.json` (case ID, description, scanner version that introduced the regression, severity)
- `case.md` (human-readable regression description with root cause analysis)
- `input/` (frozen input fixtures: container layers, SBOMs, lock files)
- `expected/` (expected output fixtures: SBOMs, reachability results, verdict payloads)
- **Regression Test Runner**: No unified test runner that discovers all `SCN-XXXX-slug/` cases, runs each through the scanner pipeline, and performs byte-level output comparison
- **Dedicated CI Job**: No `scanner-regression` CI job that runs regression tests separately from unit tests with clear pass/fail reporting per case
- **Regression Case Generator**: No tooling to capture a failing scanner scenario and automatically generate a new `SCN-XXXX-slug/` case from it
- **Drift Detection**: No tooling to detect when scanner output changes (intentionally or unintentionally) and prompt for expected-output updates with review
## Implementation Plan
1. Create `src/Scanner/__Tests/StellaOps.Scanner.Regression.Tests/` project with case discovery infrastructure
2. Define `case.metadata.json` schema with fields: caseId, slug, description, introducedInVersion, severity, tags
3. Create initial regression cases from existing golden fixture tests (migrate 5-10 representative cases)
4. Implement `RegressionTestRunner` that discovers cases, runs scanner pipeline on inputs, compares outputs byte-by-byte
5. Add `case-capture` CLI tool that takes a scanner invocation and generates a new case directory with frozen inputs and current outputs
6. Add `scanner-regression` CI job in `.gitea/workflows/` that runs regression tests and reports per-case pass/fail
7. Add drift detection that generates a diff report when expected output changes
## E2E Test Plan
- [ ] Run the regression test runner and verify all `SCN-XXXX-slug/` cases produce output that byte-matches their `expected/` fixtures
- [ ] Add a new regression case using the case-capture tool and verify it is automatically discovered by the test runner on the next run
- [ ] Introduce an intentional scanner change that modifies output for one case and verify the regression test runner detects the drift and fails the case
- [ ] Update the expected output for the changed case and verify the test runner passes again
- [ ] Verify `case.metadata.json` is validated on test startup (missing required fields cause a clear error)
- [ ] Verify the CI job produces a per-case pass/fail report with case ID, slug, and failure diff for any failing cases
- [ ] Verify regression tests run in under 5 minutes for the initial 10-case corpus
## Related Documentation
- Source: See feature catalog
- Architecture: `docs/modules/scanner/architecture.md`

31
docs/features/dropped/time-to-evidence-metric.md Normal file
View File

@@ -0,0 +1,31 @@
# Time-to-Evidence (TTE) Metric
## Status
PARTIALLY_IMPLEMENTED
## Description
The TTE metric (measuring time from finding open to first proof rendered) is not implemented in the frontend or backend.
## Module
Telemetry
## What's Implemented
- **TTE metrics collection**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TimeToEvidenceMetrics.cs`
- **Percentile exporter**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TtePercentileExporter.cs` (P50/P90/P99)
- **Scan completion integration**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/ScanCompletionMetricsIntegration.cs`
- **Attestation metrics**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/Metrics/AttestationMetrics.cs`
- **DI registration**: `src/Telemetry/StellaOps.Telemetry.Core/StellaOps.Telemetry.Core/TelemetryServiceCollectionExtensions.cs`
- **Baseline tracking**: `src/__Tests/__Benchmarks/baselines/ttfs-baseline.json`
## What's Missing
- Frontend visualization of TTE metrics (dashboard/chart in Web UI)
- TTE trend visualization over time
- Per-finding TTE breakdown in the UI
## Implementation Plan
- Add TTE dashboard widget to Web UI
- Show TTE percentile trends over time
- Include TTE metric in finding detail view
## Source
- Feature matrix scan

34
docs/features/unchecked/advisoryai/advisoryai-orchestrator.md Normal file
View File

@@ -0,0 +1,34 @@
# AdvisoryAI Orchestrator (Chat + Workbench + Runs)
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
The AdvisoryAI module provides a chat orchestrator with session management, run tracking (with artifacts and events), and tool routing. Backend web service with chat and run endpoints is operational.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Worker/`
- **Key Classes**:
- `AdvisoryPipelineOrchestrator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Orchestration/AdvisoryPipelineOrchestrator.cs`) - main pipeline orchestrator coordinating task plans and execution
- `AdvisoryPipelineExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Execution/AdvisoryPipelineExecutor.cs`) - executes advisory pipeline stages
- `AdvisoryChatService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/AdvisoryChatService.cs`) - chat session orchestration service
- `ConversationService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ConversationService.cs`) - manages conversation state and context
- `RunService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/RunService.cs`) - tracks runs with artifacts and events
- `InMemoryRunStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Runs/InMemoryRunStore.cs`) - in-memory storage for run data
- `AdvisoryChatIntentRouter` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Routing/AdvisoryChatIntentRouter.cs`) - routes chat intents to appropriate handlers
- `ChatEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/ChatEndpoints.cs`) - REST endpoints for chat operations
- `RunEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/RunEndpoints.cs`) - REST endpoints for run tracking
- `AdvisoryTaskWorker` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Worker/Services/AdvisoryTaskWorker.cs`) - background worker processing advisory tasks
- **Interfaces**: `IAdvisoryPipelineOrchestrator`, `IRunService`, `IRunStore`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Submit a chat message via `ChatEndpoints` and verify `AdvisoryChatService` processes it with correct conversation context
- [ ] Create a run via `RunEndpoints` and verify `RunService` tracks artifacts and events in `InMemoryRunStore`
- [ ] Verify `AdvisoryChatIntentRouter` routes different intent types (explain, remediate, policy) to correct handlers
- [ ] Verify `AdvisoryPipelineOrchestrator` creates and executes task plans with `AdvisoryPipelineExecutor`
- [ ] Verify `AdvisoryTaskWorker` picks up queued tasks and processes them to completion
- [ ] Verify conversation context is maintained across multiple messages in the same session via `ConversationService`

36
docs/features/unchecked/advisoryai/advisoryai-pipeline-with-guardrails.md Normal file
View File

@@ -0,0 +1,36 @@
# AdvisoryAI Pipeline with Guardrails
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Full advisory AI pipeline with guardrails, chat interface, action execution, and idempotency handling. Includes retrieval, structured/vector retrievers, and SBOM context retrieval.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/`
- **Key Classes**:
- `AdvisoryGuardrailPipeline` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Guardrails/AdvisoryGuardrailPipeline.cs`) - guardrail pipeline filtering AI inputs and outputs
- `AdvisoryPipelineOrchestrator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Orchestration/AdvisoryPipelineOrchestrator.cs`) - orchestrates pipeline stages with guardrail checks
- `AdvisoryPipelineExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Execution/AdvisoryPipelineExecutor.cs`) - executes pipeline with pre/post guardrails
- `AdvisoryStructuredRetriever` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Retrievers/AdvisoryStructuredRetriever.cs`) - retrieves structured advisory data
- `AdvisoryVectorRetriever` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Retrievers/AdvisoryVectorRetriever.cs`) - vector-based semantic retrieval
- `SbomContextRetriever` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Retrievers/SbomContextRetriever.cs`) - retrieves SBOM context for vulnerability analysis
- `ActionExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionExecutor.cs`) - executes AI-proposed actions
- `IdempotencyHandler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/IdempotencyHandler.cs`) - ensures idempotent action execution
- `GuardrailAllowlistLoader` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/GuardrailAllowlistLoader.cs`) - loads guardrail allowlists from configuration
- `GuardrailPhraseLoader` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/GuardrailPhraseLoader.cs`) - loads guardrail phrase filters
- `AdvisoryAiGuardrailOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Hosting/AdvisoryAiGuardrailOptions.cs`) - guardrail configuration options
- **Interfaces**: `IAdvisoryStructuredRetriever`, `IAdvisoryVectorRetriever`, `ISbomContextRetriever`, `IActionExecutor`, `IIdempotencyHandler`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Submit a prompt through `AdvisoryGuardrailPipeline` and verify guardrails filter prohibited content before reaching LLM
- [ ] Verify `AdvisoryStructuredRetriever` returns relevant CVE/advisory data for a given vulnerability query
- [ ] Verify `AdvisoryVectorRetriever` performs semantic search and returns ranked results
- [ ] Verify `SbomContextRetriever` enriches prompts with SBOM component context
- [ ] Execute an action through `ActionExecutor` and verify `IdempotencyHandler` prevents duplicate execution
- [ ] Verify `GuardrailAllowlistLoader` and `GuardrailPhraseLoader` correctly load and enforce content filters
- [ ] Verify the full pipeline flow: retrieval -> guardrail check -> LLM inference -> output guardrail -> response

31
docs/features/unchecked/advisoryai/ai-action-policy-gate.md Normal file
View File

@@ -0,0 +1,31 @@
# AI Action Policy Gate (K4 Lattice Governance for AI-Proposed Actions)
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Connects AI-proposed actions to the Policy Engine's K4 lattice for governance-aware automation. Moves beyond simple role checks to VEX-aware policy gates with approval workflows, idempotency tracking, and action audit ledger. Enables "AI that acts" with governance guardrails.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/`
- **Key Classes**:
- `ActionPolicyGate` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionPolicyGate.cs`) - evaluates AI-proposed actions against K4 lattice policy rules
- `ActionRegistry` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionRegistry.cs`) - registry of available AI actions with metadata and policy requirements
- `ActionExecutor` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionExecutor.cs`) - executes approved actions with policy gate checks
- `ActionAuditLedger` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionAuditLedger.cs`) - immutable audit trail of all action decisions and executions
- `ApprovalWorkflowAdapter` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ApprovalWorkflowAdapter.cs`) - integrates with approval workflows for gated actions
- `IdempotencyHandler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/IdempotencyHandler.cs`) - ensures actions are not duplicated
- `ActionDefinition` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Actions/ActionDefinition.cs`) - defines an action's capabilities, constraints, and policy metadata
- **Interfaces**: `IActionPolicyGate`, `IActionRegistry`, `IActionExecutor`, `IActionAuditLedger`, `IApprovalWorkflowAdapter`, `IIdempotencyHandler`, `IGuidGenerator`
- **Source**: SPRINT_20260109_011_004_BE_policy_action_integration.md
## E2E Test Plan
- [ ] Register an action in `ActionRegistry` and verify `ActionPolicyGate` evaluates it against K4 lattice policy rules
- [ ] Submit an action requiring approval and verify `ApprovalWorkflowAdapter` creates an approval request
- [ ] Execute a gated action after approval and verify `ActionAuditLedger` records the decision, approval, and execution
- [ ] Submit a duplicate action and verify `IdempotencyHandler` prevents re-execution
- [ ] Submit an action that violates policy and verify `ActionPolicyGate` rejects it with a policy violation reason
- [ ] Verify `ActionDefinition` metadata (risk level, required approvals, allowed scopes) is enforced during gate evaluation

37
docs/features/unchecked/advisoryai/ai-remedy-autopilot-with-multi-scm-pull-request-generation.md Normal file
View File

@@ -0,0 +1,37 @@
# AI Remedy Autopilot with Multi-SCM Pull Request Generation
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
AI-powered remediation service that generates fix plans (dependency bumps, base image upgrades, config changes, backport guidance), then creates PRs automatically across GitHub, GitLab, Azure DevOps, and Gitea via a unified SCM connector plugin architecture. Includes build verification, SBOM delta computation, signed delta verdicts, and fallback to "suggestion-only" when build/tests fail.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Scm.Plugin.Unified/`
- **Key Classes**:
- `AiRemediationPlanner` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/AiRemediationPlanner.cs`) - AI-driven remediation plan generation
- `RemediationDeltaService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/RemediationDeltaService.cs`) - computes SBOM delta for remediation impact
- `PrTemplateBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/PrTemplateBuilder.cs`) - builds PR descriptions with evidence and delta info
- `GitHubPullRequestGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/GitHubPullRequestGenerator.cs`) - generates PRs on GitHub
- `GitLabMergeRequestGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/GitLabMergeRequestGenerator.cs`) - generates MRs on GitLab
- `AzureDevOpsPullRequestGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/AzureDevOpsPullRequestGenerator.cs`) - generates PRs on Azure DevOps
- `GiteaScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/GiteaScmConnector.cs`) - Gitea SCM integration
- `GitHubScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/GitHubScmConnector.cs`) - GitHub SCM integration
- `GitLabScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/GitLabScmConnector.cs`) - GitLab SCM integration
- `AzureDevOpsScmConnector` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/AzureDevOpsScmConnector.cs`) - Azure DevOps SCM integration
- `ScmConnectorCatalog` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Remediation/ScmConnector/ScmConnectorCatalog.cs`) - catalog of available SCM connectors
- `ScmPluginAdapter` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Scm.Plugin.Unified/ScmPluginAdapter.cs`) - unified plugin adapter for SCM operations
- `ScmPluginAdapterFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Scm.Plugin.Unified/ScmPluginAdapterFactory.cs`) - factory for creating SCM plugin adapters
- **Interfaces**: `IRemediationPlanner`, `IPullRequestGenerator`, `IScmConnector`, `IPackageVersionResolver`
- **Source**: SPRINT_20251226_016_AI_remedy_autopilot.md
## E2E Test Plan
- [ ] Generate a remediation plan via `AiRemediationPlanner` for a known CVE and verify it includes dependency bump steps
- [ ] Create a PR via `GitHubPullRequestGenerator` and verify `PrTemplateBuilder` populates the description with evidence
- [ ] Verify `RemediationDeltaService` computes SBOM delta showing before/after dependency changes
- [ ] Verify `ScmConnectorCatalog` resolves the correct connector (GitHub, GitLab, AzureDevOps, Gitea) based on repository URL
- [ ] Verify `ScmPluginAdapter` creates branches, commits changes, and opens PRs through the unified plugin interface
- [ ] Verify fallback to "suggestion-only" mode when build verification fails after applying the fix

35
docs/features/unchecked/advisoryai/chat-gateway-with-quotas-and-scrubbing.md Normal file
View File

@@ -0,0 +1,35 @@
# Chat Gateway with Quotas and Scrubbing
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Chat gateway with configurable options (quotas, budgets) and service-layer chat orchestration is implemented.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/`
- **Key Classes**:
- `AdvisoryChatService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/AdvisoryChatService.cs`) - main chat service with quota enforcement
- `AdvisoryChatQuotaService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/AdvisoryChatQuotaService.cs`) - per-user/tenant quota tracking and enforcement
- `AdvisoryChatOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Options/AdvisoryChatOptions.cs`) - configurable chat options (quotas, budgets, limits)
- `GroundingValidator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/GroundingValidator.cs`) - validates AI responses are grounded in evidence
- `ChatResponseStreamer` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ChatResponseStreamer.cs`) - streams chat responses with progressive delivery
- `ChatPromptAssembler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ChatPromptAssembler.cs`) - assembles prompts with scrubbing and context injection
- `ConversationContextBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ConversationContextBuilder.cs`) - builds conversation context with relevant data
- `ChatEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/ChatEndpoints.cs`) - REST API endpoints for chat gateway
- `RateLimitsService` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Services/RateLimitsService.cs`) - rate limiting for chat API calls
- `AuthorizationService` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Services/AuthorizationService.cs`) - authorization checks for chat access
- **Interfaces**: `IAdvisoryChatInferenceClient`, `IAiConsentStore`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Send chat messages and verify `AdvisoryChatQuotaService` enforces per-user quotas (reject after limit exceeded)
- [ ] Configure quota limits via `AdvisoryChatOptions` and verify they are applied at runtime
- [ ] Verify `ChatPromptAssembler` scrubs sensitive data (credentials, tokens) from prompts before sending to LLM
- [ ] Verify `GroundingValidator` flags responses that lack evidence grounding
- [ ] Verify `RateLimitsService` rate-limits excessive chat API calls
- [ ] Verify `ChatResponseStreamer` delivers streaming responses with proper chunking
- [ ] Verify `AuthorizationService` rejects chat requests from unauthorized users

31
docs/features/unchecked/advisoryai/deterministic-ai-artifact-replay.md Normal file
View File

@@ -0,0 +1,31 @@
# Deterministic AI Artifact Replay
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Deterministic replay infrastructure for AI artifacts including replay manifests, prompt template versioning, and input artifact hashing for reproducible AI outputs.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Replay/`, `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/`
- **Key Classes**:
- `AIArtifactReplayer` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Replay/AIArtifactReplayer.cs`) - replays AI artifacts with deterministic inputs for verification
- `ReplayInputArtifact` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayInputArtifact.cs`) - input artifact model with content-addressed hashing
- `ReplayPromptTemplate` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayPromptTemplate.cs`) - versioned prompt templates for replay
- `ReplayResult` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayResult.cs`) - replay execution result with comparison data
- `ReplayVerificationResult` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayVerificationResult.cs`) - verification of replay output against original
- `ReplayStatus` (`src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayStatus.cs`) - replay status tracking
- `DeterministicHashVectorEncoder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Vectorization/DeterministicHashVectorEncoder.cs`) - deterministic hash-based vector encoding for reproducibility
- **Interfaces**: None (uses concrete replay pipeline)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Record an AI inference run and verify `AIArtifactReplayer` can replay it with identical inputs
- [ ] Verify `ReplayInputArtifact` computes content-addressed hashes that match across replay invocations
- [ ] Verify `ReplayPromptTemplate` versioning: replay with a v1 template produces the same output as the original v1 run
- [ ] Verify `ReplayVerificationResult` detects differences when the replay output diverges from the original
- [ ] Verify `DeterministicHashVectorEncoder` produces identical vectors for identical inputs across runs
- [ ] Verify replay with temperature=0 and fixed seed produces bit-identical outputs for supported providers

38
docs/features/unchecked/advisoryai/evidence-first-ai-outputs.md Normal file
View File

@@ -0,0 +1,38 @@
# Evidence-First AI Outputs (Citations, Evidence Packs)
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Evidence bundle assembly with schema-validated JSON, data providers for citations, and evidence pack integration in chat responses is implemented.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/`
- **Key Classes**:
- `EvidenceBundleAssembler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/EvidenceBundleAssembler.cs`) - assembles evidence bundles from multiple data providers
- `EvidencePackChatIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/EvidencePackChatIntegration.cs`) - integrates evidence packs into chat responses
- `AttestationIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/AttestationIntegration.cs`) - links evidence packs to attestation framework
- `SbomDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/SbomDataProvider.cs`) - provides SBOM data for evidence bundles
- `VexDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/VexDataProvider.cs`) - provides VEX data for evidence bundles
- `ReachabilityDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/ReachabilityDataProvider.cs`) - provides reachability scoring data
- `PolicyDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/PolicyDataProvider.cs`) - provides policy evaluation data
- `ProvenanceDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/ProvenanceDataProvider.cs`) - provides provenance/SLSA data
- `FixDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/FixDataProvider.cs`) - provides fix availability data
- `BinaryPatchDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/BinaryPatchDataProvider.cs`) - provides binary patch analysis data
- `ContextDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/ContextDataProvider.cs`) - provides contextual data
- `OpsMemoryDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/OpsMemoryDataProvider.cs`) - provides OpsMemory historical decision data
- `EvidencePackEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/EvidencePackEndpoints.cs`) - REST endpoints for evidence pack access
- **Interfaces**: `IEvidenceBundleAssembler`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Assemble an evidence bundle via `EvidenceBundleAssembler` and verify all data providers contribute relevant sections
- [ ] Verify `SbomDataProvider` includes component version and license data in the evidence bundle
- [ ] Verify `VexDataProvider` includes VEX status (affected/not_affected/fixed) for referenced CVEs
- [ ] Verify `ReachabilityDataProvider` includes reachability scores and call-path evidence
- [ ] Verify `EvidencePackChatIntegration` attaches evidence pack references to chat responses
- [ ] Verify `AttestationIntegration` signs evidence packs with attestation metadata
- [ ] Access evidence packs via `EvidencePackEndpoints` and verify schema-validated JSON output

31
docs/features/unchecked/advisoryai/evidence-first-citations-in-chat-responses.md Normal file
View File

@@ -0,0 +1,31 @@
# Evidence-First Citations in Chat Responses
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Evidence bundle assembly with citations in chat responses and UI evidence drilldown is implemented.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/`, `src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/`
- **Key Classes**:
- `EvidenceAnchoredExplanationGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/EvidenceAnchoredExplanationGenerator.cs`) - generates explanations anchored to evidence citations
- `EvidencePackChatIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/EvidencePackChatIntegration.cs`) - embeds evidence citations into chat responses
- `GroundingValidator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/GroundingValidator.cs`) - validates that AI claims are grounded in cited evidence
- `ExplanationPromptTemplates` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/ExplanationPromptTemplates.cs`) - prompt templates for citation-rich explanations
- `DefaultExplanationPromptService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/DefaultExplanationPromptService.cs`) - assembles explanation prompts with citation instructions
- `InMemoryExplanationStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Explanation/InMemoryExplanationStore.cs`) - stores explanation requests and results
- `ActionProposalParser` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ActionProposalParser.cs`) - parses action proposals from LLM responses with citation references
- **Interfaces**: `IExplanationGenerator`, `IExplanationRequestStore`, `IEvidenceRetrievalService`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Generate an explanation via `EvidenceAnchoredExplanationGenerator` and verify it contains citation references to evidence items
- [ ] Verify `GroundingValidator` rejects explanations that make claims without corresponding evidence citations
- [ ] Verify `EvidencePackChatIntegration` embeds clickable citation references in chat response markdown
- [ ] Verify `ExplanationPromptTemplates` instruct the LLM to cite evidence sources in its output
- [ ] Verify `InMemoryExplanationStore` persists explanation requests and results for later retrieval
- [ ] Verify `ActionProposalParser` extracts cited evidence IDs from LLM-generated action proposals

31
docs/features/unchecked/advisoryai/immutable-audit-log-for-ai-interactions.md Normal file
View File

@@ -0,0 +1,31 @@
# Immutable Audit Log for AI Interactions
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
DSSE-signed audit envelope builder for chat interactions with prompts, tool calls, and model fingerprints is implemented.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Audit/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/`
- **Key Classes**:
- `AdvisoryChatAuditEnvelopeBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Audit/AdvisoryChatAuditEnvelopeBuilder.cs`) - builds DSSE-signed audit envelopes for chat interactions
- `ChatAuditRecords` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Audit/ChatAuditRecords.cs`) - audit record models (prompts, responses, tool calls, model fingerprints)
- `PostgresAdvisoryChatAuditLogger` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/PostgresAdvisoryChatAuditLogger.cs`) - persists audit records to PostgreSQL
- `NullAdvisoryChatAuditLogger` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/NullAdvisoryChatAuditLogger.cs`) - no-op audit logger for testing
- `AttestationEndpoints` (`src/AdvisoryAi/StellaOps.AdvisoryAI.WebService/Endpoints/AttestationEndpoints.cs`) - REST endpoints for attestation/audit retrieval
- `NullEvidencePackSigner` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Evidence/NullEvidencePackSigner.cs`) - no-op evidence pack signer for development
- `AdvisoryPipelineMetrics` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Metrics/AdvisoryPipelineMetrics.cs`) - metrics collection for audit visibility
- **Interfaces**: None (uses concrete audit pipeline)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Send a chat message and verify `AdvisoryChatAuditEnvelopeBuilder` creates a DSSE-signed envelope containing the prompt, response, and model fingerprint
- [ ] Verify `ChatAuditRecords` captures tool call invocations with parameters and results
- [ ] Verify `PostgresAdvisoryChatAuditLogger` persists audit records and they are retrievable via `AttestationEndpoints`
- [ ] Verify audit envelopes are immutable: attempting to modify a persisted record fails
- [ ] Verify audit records include model identifier, temperature setting, and token counts
- [ ] Verify audit log entries are queryable by user, session, and time range

28
docs/features/unchecked/advisoryai/llm-inference-response-caching.md Normal file
View File

@@ -0,0 +1,28 @@
# LLM Inference Response Caching
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
In-memory LLM inference cache that deduplicates identical prompt+model combinations. Reduces API costs and latency by caching deterministic responses keyed by content hash.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/`
- **Key Classes**:
- `LlmInferenceCache` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmInferenceCache.cs`) - in-memory cache keyed by content hash of prompt+model+parameters
- `LlmProviderFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderFactory.cs`) - factory that wraps providers with caching layer
- `LlmProviderOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderOptions.cs`) - provider options including cache TTL and size limits
- `ProviderBasedAdvisoryInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/ProviderBasedAdvisoryInferenceClient.cs`) - inference client that uses the caching layer
- **Interfaces**: `ILlmProvider`
- **Source**: SPRINT_20251226_019_AI_offline_inference.md
## E2E Test Plan
- [ ] Send identical prompts twice and verify `LlmInferenceCache` returns the cached response on the second call without hitting the LLM
- [ ] Verify cache keys include model ID and parameters: same prompt with different temperature results in cache miss
- [ ] Verify cache TTL: cached responses expire after configured duration
- [ ] Verify cache size limits: when max entries are reached, oldest entries are evicted
- [ ] Verify cache bypass: non-deterministic requests (temperature > 0) are not cached
- [ ] Verify `ProviderBasedAdvisoryInferenceClient` correctly integrates caching with the provider pipeline

40
docs/features/unchecked/advisoryai/llm-provider-plugin-architecture.md Normal file
View File

@@ -0,0 +1,40 @@
# LLM Provider Plugin Architecture (Multi-Provider Inference)
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Pluggable LLM provider architecture with ILlmProvider interface supporting OpenAI, Claude, Gemini, llama.cpp (LlamaServer), and Ollama backends. Includes LlmProviderFactory for runtime selection and configuration validation. Enables sovereign/offline inference by switching to local providers.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/`, `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/`, `src/AdvisoryAi/StellaOps.AdvisoryAI.Plugin.Unified/`
- **Key Classes**:
- `LlmProviderFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderFactory.cs`) - factory for runtime LLM provider selection
- `OpenAiLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/OpenAiLlmProvider.cs`) - OpenAI API provider
- `ClaudeLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/ClaudeLlmProvider.cs`) - Anthropic Claude API provider
- `GeminiLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/GeminiLlmProvider.cs`) - Google Gemini API provider
- `LlamaServerLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlamaServerLlmProvider.cs`) - local llama.cpp server provider
- `OllamaLlmProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/OllamaLlmProvider.cs`) - Ollama local inference provider
- `LlmProviderOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmProviders/LlmProviderOptions.cs`) - provider configuration and validation
- `ClaudeInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/ClaudeInferenceClient.cs`) - Claude-specific chat inference client
- `OpenAIInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/OpenAIInferenceClient.cs`) - OpenAI-specific chat inference client
- `OllamaInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/OllamaInferenceClient.cs`) - Ollama-specific chat inference client
- `LocalInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/LocalInferenceClient.cs`) - local model inference client
- `LlmPluginAdapter` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Plugin.Unified/LlmPluginAdapter.cs`) - unified plugin adapter for LLM providers
- `LlmPluginAdapterFactory` (`src/AdvisoryAi/StellaOps.AdvisoryAI.Plugin.Unified/LlmPluginAdapterFactory.cs`) - factory for creating LLM plugin adapters
- `SystemPromptLoader` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Inference/SystemPromptLoader.cs`) - loads system prompts for inference clients
- **Interfaces**: `ILlmProvider`, `ILlmProviderPlugin`, `IAdvisoryChatInferenceClient`
- **Source**: SPRINT_20251226_019_AI_offline_inference.md
## E2E Test Plan
- [ ] Configure `LlmProviderFactory` with multiple providers and verify runtime selection based on configuration
- [ ] Verify `OpenAiLlmProvider` sends requests to OpenAI API with correct authentication and model parameters
- [ ] Verify `ClaudeLlmProvider` sends requests to Claude API with correct authentication
- [ ] Verify `OllamaLlmProvider` connects to local Ollama instance and performs inference
- [ ] Verify `LlamaServerLlmProvider` connects to local llama.cpp server endpoint
- [ ] Verify `LlmProviderOptions` validation rejects invalid configurations (missing API keys, invalid endpoints)
- [ ] Verify `LlmPluginAdapter` provides health checks for configured LLM providers
- [ ] Verify provider failover: when primary provider is unavailable, factory falls back to secondary

31
docs/features/unchecked/advisoryai/natural-language-to-policy-rule-compiler.md Normal file
View File

@@ -0,0 +1,31 @@
# Natural Language to Policy Rule Compiler (Policy Studio Copilot)
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
AI-powered natural language to lattice rule translation engine including PolicyIntentType parsing, LatticeRuleGenerator, property-based test synthesizer for generated rules, and PolicyBundleCompiler. Transforms plain-English policy descriptions into formal stella-dsl@1 rules with live preview and conflict visualization.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/`
- **Key Classes**:
- `AiPolicyIntentParser` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/AiPolicyIntentParser.cs`) - parses natural language into structured policy intents using LLM
- `LatticeRuleGenerator` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/LatticeRuleGenerator.cs`) - generates K4 lattice rules from parsed policy intents
- `PropertyBasedTestSynthesizer` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/PropertyBasedTestSynthesizer.cs`) - synthesizes property-based test cases for generated rules
- `PolicyBundleCompiler` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/PolicyBundleCompiler.cs`) - compiles generated rules into a deployable policy bundle
- `PolicyIntent` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/PolicyIntent.cs`) - policy intent model with type, constraints, and conditions
- `InMemoryPolicyIntentStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/InMemoryPolicyIntentStore.cs`) - stores policy intents for iterative refinement
- `NullPolicyIntentParser` (`src/AdvisoryAi/StellaOps.AdvisoryAI/PolicyStudio/NullPolicyIntentParser.cs`) - no-op parser for testing
- **Interfaces**: `IPolicyIntentParser`, `IPolicyRuleGenerator`, `ITestCaseSynthesizer`
- **Source**: SPRINT_20251226_017_AI_policy_copilot.md
## E2E Test Plan
- [ ] Submit a natural language policy description (e.g., "block critical CVEs without a fix") and verify `AiPolicyIntentParser` produces a structured `PolicyIntent`
- [ ] Verify `LatticeRuleGenerator` translates the intent into valid stella-dsl@1 lattice rules
- [ ] Verify `PropertyBasedTestSynthesizer` generates test cases that exercise the generated rule's accept/reject boundaries
- [ ] Verify `PolicyBundleCompiler` compiles rules into a deployable bundle with correct schema version
- [ ] Verify `InMemoryPolicyIntentStore` supports iterative refinement: modify an intent and regenerate rules
- [ ] Verify conflict detection: generate two conflicting rules and verify the compiler reports the conflict

28
docs/features/unchecked/advisoryai/opsmemory-chat-integration.md Normal file
View File

@@ -0,0 +1,28 @@
# OpsMemory-Chat Integration (Decision Memory in AI Conversations)
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Connects OpsMemory institutional decision memory to AdvisoryAI Chat, enabling the AI to surface relevant past decisions during conversations and automatically record new decisions with outcomes for feedback loop learning.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/`
- **Key Classes**:
- `OpsMemoryIntegration` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/OpsMemoryIntegration.cs`) - integrates OpsMemory decision retrieval into chat pipeline
- `OpsMemoryLinkResolver` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/OpsMemoryLinkResolver.cs`) - resolves OpsMemory links referenced in chat context
- `OpsMemoryDataProvider` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Assembly/Providers/OpsMemoryDataProvider.cs`) - data provider that fetches relevant OpsMemory entries for evidence bundles
- `ConversationContextBuilder` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/ConversationContextBuilder.cs`) - includes OpsMemory context in conversation history
- **Interfaces**: None (uses concrete integration classes)
- **Source**: SPRINT_20260109_011_002_BE_opsmemory_chat_integration.md
## E2E Test Plan
- [ ] Ask about a CVE that has a prior decision in OpsMemory and verify `OpsMemoryIntegration` surfaces the past decision in the response
- [ ] Verify `OpsMemoryDataProvider` includes relevant past decisions in the evidence bundle for chat responses
- [ ] Verify `OpsMemoryLinkResolver` resolves OpsMemory entry links to their full decision details
- [ ] Verify `ConversationContextBuilder` enriches prompts with relevant OpsMemory context
- [ ] Verify new decisions made during chat are recorded back into OpsMemory for future retrieval
- [ ] Verify OpsMemory integration does not include stale decisions (respects TTL/validity windows)

32
docs/features/unchecked/advisoryai/sanctioned-tool-registry.md Normal file
View File

@@ -0,0 +1,32 @@
# Sanctioned Tool Registry (Policy-Gated Tool Execution)
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Tool policy system with sanctioned tool registry controlling which AI tools can be invoked, with read-only defaults and confirmation-gated action tools.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/`, `src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/`
- **Key Classes**:
- `AdvisoryChatToolPolicy` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatToolPolicy.cs`) - defines which tools are sanctioned, read-only, or require confirmation
- `DeterministicToolset` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/DeterministicToolset.cs`) - deterministic tool implementations (version analysis, dependency analysis)
- `AdvisoryChatSettingsService` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatSettingsService.cs`) - manages chat settings including tool policies
- `AdvisoryChatSettingsStore` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatSettingsStore.cs`) - persists chat settings and tool policies
- `AdvisoryChatSettingsModels` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Settings/AdvisoryChatSettingsModels.cs`) - settings models for tool access levels
- `DependencyAnalysisResult` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/DependencyAnalysisResult.cs`) - result model for dependency analysis tool
- `SemanticVersion` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/SemanticVersion.cs`) - semantic version parsing for version analysis tool
- `SemanticVersionRange` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Tools/SemanticVersionRange.cs`) - version range matching for dependency tools
- **Interfaces**: `IDeterministicToolset`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Configure `AdvisoryChatToolPolicy` with sanctioned tools and verify only those tools can be invoked during chat
- [ ] Attempt to invoke a non-sanctioned tool and verify it is rejected with an access denied response
- [ ] Verify read-only tools execute without confirmation prompts
- [ ] Verify action tools (write operations) require user confirmation before execution
- [ ] Verify `DeterministicToolset` provides consistent results for version analysis and dependency analysis
- [ ] Verify `AdvisoryChatSettingsService` persists tool policy changes via `AdvisoryChatSettingsStore`

35
docs/features/unchecked/advisoryai/sovereign-offline-ai-inference-with-signed-model-bundles.md Normal file
View File

@@ -0,0 +1,35 @@
# Sovereign/Offline AI Inference with Signed Model Bundles
## Module
AdvisoryAI
## Status
IMPLEMENTED
## Description
Local LLM inference for air-gapped environments via a pluggable provider architecture supporting llama.cpp server, Ollama, OpenAI, Claude, and Gemini. DSSE-signed model bundle management with regional crypto support (eIDAS/FIPS/GOST/SM), digest verification at load time, deterministic output config (temperature=0, fixed seed), inference caching, benchmarking harness, and offline replay verification.
## Implementation Details
- **Modules**: `src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/`
- **Key Classes**:
- `SignedModelBundleManager` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/SignedModelBundleManager.cs`) - manages DSSE-signed model bundles with digest verification at load time
- `ModelBundle` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/ModelBundle.cs`) - model bundle metadata including hash, signature, and regional crypto info
- `LlamaCppRuntime` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlamaCppRuntime.cs`) - llama.cpp local inference runtime
- `OnnxRuntime` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/OnnxRuntime.cs`) - ONNX runtime for local model inference
- `AdvisoryInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/AdvisoryInferenceClient.cs`) - main inference client with provider routing
- `ProviderBasedAdvisoryInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/ProviderBasedAdvisoryInferenceClient.cs`) - provider-based inference with caching
- `LlmBenchmark` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LlmBenchmark.cs`) - benchmarking harness for inference performance
- `LocalInferenceOptions` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LocalInferenceOptions.cs`) - configuration for local inference (temperature, seed, context size)
- `LocalLlmConfig` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Inference/LocalLlmConfig.cs`) - local LLM configuration (model path, quantization, GPU layers)
- `LocalChatInferenceClient` (`src/AdvisoryAi/StellaOps.AdvisoryAI/Chat/Services/LocalChatInferenceClient.cs`) - chat-specific local inference client
- **Interfaces**: `ILocalLlmRuntime`
- **Source**: SPRINT_20251226_019_AI_offline_inference.md
## E2E Test Plan
- [ ] Load a signed model bundle via `SignedModelBundleManager` and verify DSSE signature and digest are validated
- [ ] Verify `SignedModelBundleManager` rejects a model bundle with a tampered digest
- [ ] Run inference through `LlamaCppRuntime` with temperature=0 and fixed seed and verify deterministic output
- [ ] Run `LlmBenchmark` and verify it measures tokens/second and latency metrics
- [ ] Verify `OnnxRuntime` loads and runs inference with an ONNX model
- [ ] Configure `LocalInferenceOptions` with air-gap settings and verify no external network calls are made
- [ ] Verify `ProviderBasedAdvisoryInferenceClient` caches deterministic responses and returns cached results on repeat queries

28
docs/features/unchecked/airgap/air-gap-bundle-system.md Normal file
View File

@@ -0,0 +1,28 @@
# Air-Gap Bundle System (DSSE-Signed Bundle Format with Import/Export)
## Module
AirGap
## Status
IMPLEMENTED
## Description
Comprehensive air-gap bundle system with DSSE signing and verification, bundle format with schemas/validation/trust snapshots, controller for state management, importer with quarantine-on-failure, atomic feed activation with rollback, file-based and router-based delivery transport, and offline kit validation (monotonicity checking, telemetry metrics). Covers offline update kits (OUK), replay packs, and audit pack export/import.
## Implementation Details
- **Controller**: `src/AirGap/StellaOps.AirGap.Controller/` -- state management (`AirGapState.cs`, `AirGapStateService.cs`), endpoints (`AirGapEndpoints.cs` with seal/verify), startup options, telemetry
- **Importer**: `src/AirGap/StellaOps.AirGap.Importer/` -- bundle planning (`BundleImportPlanner.cs`), quarantine on failure (`FileSystemQuarantineService.cs`, `IQuarantineService.cs`), evidence reconciliation (`EvidenceReconciler.cs`, `EvidenceGraph.cs`), SBOM/DSSE parsers, version monotonicity, trust root config, replay verification
- **Bundle library**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- bundle format, schema validation, trust snapshot management
- **Sync library**: `src/AirGap/__Libraries/StellaOps.AirGap.Sync/` -- synchronization for bundle delivery
- **Persistence**: `src/AirGap/__Libraries/StellaOps.AirGap.Persistence/` and `src/AirGap/StellaOps.AirGap.Storage.Postgres/`
- **Policy**: `src/AirGap/StellaOps.AirGap.Policy/` -- offline verification policy, analyzers
- **Tests**: Controller, Importer, Persistence, Sync, Time, and Policy tests under `src/AirGap/__Tests/`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Test bundle import with valid DSSE-signed bundle, verify state transition
- [ ] Test quarantine behavior on invalid bundle signature
- [ ] Test monotonicity check rejects older bundle version
- [ ] Test evidence reconciliation correctly parses CycloneDx, DSSE attestations
- [ ] Test atomic feed activation and rollback on failure
- [ ] Verify bundle import planning produces correct plan

25
docs/features/unchecked/airgap/air-gap-epistemic-mode-with-sealed-startup-and-feed-snapshots.md Normal file
View File

@@ -0,0 +1,25 @@
# Air-Gap Epistemic Mode with Sealed Startup and Feed Snapshots
## Module
AirGap
## Status
IMPLEMENTED
## Description
Full epistemic completeness for air-gapped environments: sealed startup validation, feed snapshot repositories, signed mirror connectors, cryptographic binding of knowledge state to scan results, snapshot management, and sealed install enforcement.
## Implementation Details
- **Sealed startup**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStartupDiagnosticsHostedService.cs` -- validates sealed state at startup
- **Startup options**: `src/AirGap/StellaOps.AirGap.Controller/Options/AirGapStartupOptions.cs` -- sealed startup configuration
- **State management**: `src/AirGap/StellaOps.AirGap.Controller/Domain/AirGapState.cs`, `Services/AirGapStateService.cs`
- **State stores**: `src/AirGap/StellaOps.AirGap.Controller/Stores/IAirGapStateStore.cs`, `InMemoryAirGapStateStore.cs`
- **Feed snapshots**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- snapshot management in bundle library
- **Offline verification**: `src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs`, `OfflineVerificationPolicyLoader.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify sealed startup validation prevents operation with incomplete knowledge state
- [ ] Test feed snapshot loading and cryptographic binding
- [ ] Verify state transitions in air-gap controller
- [ ] Test offline verification policy enforcement

25
docs/features/unchecked/airgap/deterministic-rekor-receipts-with-offline-verification.md Normal file
View File

@@ -0,0 +1,25 @@
# Deterministic Rekor Receipts with Offline Verification
## Module
AirGap
## Status
IMPLEMENTED
## Description
Offline Rekor receipt verifier validates checkpoint signatures (ECDSA/Ed25519), Merkle inclusion proofs per RFC 6962, and root hash consistency without live transparency log access. Includes TileProxy for local tile-based transparency log proxy, and mirror snapshot resolution for air-gapped deployments.
## Implementation Details
- **Rekor proof builder**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/EnhancedRekorProofBuilder.Build.cs`, `EnhancedRekorProofBuilder.Validate.cs`, `EnhancedRekorProofBuilder.cs`
- **Rekor inclusion proof**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Rekor/RekorInclusionProof.cs`
- **Rekor verification step**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/RekorInclusionVerificationStep.cs`
- **Replay verification**: `src/AirGap/StellaOps.AirGap.Controller/Services/ReplayVerificationService.cs`
- **Importer replay**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/ReplayVerificationRequest.cs`, `ReplayDepth.cs`
- **Merkle proofs**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.Proof.cs`, `MerkleProof.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify Rekor receipt offline verification validates checkpoint signatures (ECDSA/Ed25519)
- [ ] Test Merkle inclusion proof verification per RFC 6962
- [ ] Test root hash consistency verification without live transparency log
- [ ] Verify replay verification service works in air-gapped mode

25
docs/features/unchecked/airgap/deterministic-replay-and-verification-in-air-gap-mode.md Normal file
View File

@@ -0,0 +1,25 @@
# Deterministic Replay and Verification in Air-Gap Mode
## Module
AirGap
## Status
IMPLEMENTED
## Description
Replay manifests capturing input artifacts, verification results, and media types for deterministic reproducibility. Replay verification service for air-gapped environments. Covers offline cryptography plugins and importer validation.
## Implementation Details
- **Replay verification service**: `src/AirGap/StellaOps.AirGap.Controller/Services/ReplayVerificationService.cs`
- **Replay contracts**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/ReplayVerificationRequest.cs`, `ReplayDepth.cs`
- **Attestor replay**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/ReplayInputArtifact.cs`, `ReplayResult.cs`, `ReplayStatus.cs`, `ReplayVerificationResult.cs`, `ReplayPromptTemplate.cs`
- **Offline crypto**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` and plugin implementations (GOST, eIDAS, SM, FIPS, HSM)
- **Evidence reconciliation**: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/` -- EvidenceReconciler, EvidenceGraph, JSON normalizer, attestation/SBOM parsers
- **Importer validation**: `src/AirGap/StellaOps.AirGap.Importer/Validation/` -- bundle validation
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify replay manifests capture all input artifacts with media types
- [ ] Test replay verification produces identical results from same inputs
- [ ] Test evidence reconciliation correctly builds evidence graph
- [ ] Verify offline crypto plugin signing/verification works without network

24
docs/features/unchecked/airgap/deterministic-test-harness.md Normal file
View File

@@ -0,0 +1,24 @@
# Deterministic Test Harness (Frozen Time, Seeded RNG, Network Isolation)
## Module
AirGap
## Status
IMPLEMENTED
## Description
Deterministic testing infrastructure with frozen time providers, deterministic fixtures, and Testcontainers for PostgreSQL isolation across backend and frontend.
## Implementation Details
- **Test infrastructure**: `src/__Tests/__Libraries/StellaOps.Testing.Chaos/Models.cs` -- chaos/deterministic testing models
- **AirGap tests**: `src/AirGap/__Tests/` -- Controller, Importer, Persistence, Sync, Time tests
- **Frozen time**: `src/AirGap/StellaOps.AirGap.Time/` -- time anchor services with frozen time providers, staleness calculation
- **Time fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/` -- deterministic time test fixtures
- **Testcontainers**: PostgreSQL isolation via `src/AirGap/StellaOps.AirGap.Storage.Postgres.Tests/`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify frozen time providers produce deterministic timestamps
- [ ] Test seeded RNG produces reproducible results
- [ ] Verify Testcontainers PostgreSQL isolation works correctly
- [ ] Test deterministic fixtures produce identical outputs across runs

25
docs/features/unchecked/airgap/dsse-receipt-schema-for-authority-sbomer-vexer-flows.md Normal file
View File

@@ -0,0 +1,25 @@
# DSSE/Receipt Schema for Authority/Sbomer/Vexer Flows
## Module
AirGap
## Status
IMPLEMENTED
## Description
DSSE envelope signing/verification across multiple modules with schema types, SPDX3 integration, and air-gap bundle signing. The receipt schema supports Authority, Sbomer, and Vexer flows.
## Implementation Details
- **DSSE signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/DsseEnvelope.cs`, `DsseSignature.cs`, `ProofChainSigner.Verification.cs`
- **DSSE SPDX3**: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Envelope.cs`, `DsseSpdx3Signature.cs`, `DsseSpdx3Signer.SignAsync.cs`, `DsseSpdx3Signer.Verify.cs`
- **DSSE verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/DsseSignatureVerificationStep.cs`
- **Importer DSSE parsing**: `src/AirGap/StellaOps.AirGap.Importer/Reconciliation/Parsers/DsseAttestationParser.cs`
- **Receipt models**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Receipts/VerificationReceipt.cs`, `VerificationResult.cs`, `VerificationCheck.cs`, `VerificationContext.cs`
- **Signing profiles**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify DSSE envelope creation for Authority/Sbomer/Vexer flows
- [ ] Test DSSE signature verification with multiple key profiles
- [ ] Verify receipt schema captures all required verification checks
- [ ] Test SPDX3 DSSE integration

29
docs/features/unchecked/airgap/mirror-time-anchor-contract.md Normal file
View File

@@ -0,0 +1,29 @@
# Mirror Time Anchor Contract
## Module
AirGap
## Status
IMPLEMENTED
## Description
Defines canonical time-anchor fields (generatedAt UTC ISO-8601, optional sourceClock hint) and staleness computation (now - generatedAt with +/-5s tolerance) for mirror bundles in air-gapped environments.
## Implementation Details
- **Time anchor module**: `src/AirGap/StellaOps.AirGap.Time/` -- full module with controllers, services, parsing, models, stores, config, hooks, health checks
- **Time anchor parsing**: `src/AirGap/StellaOps.AirGap.Time/Parsing/` -- token parsing for time anchor extraction
- **Staleness calculation**: services compute `now - generatedAt` with tolerance handling
- **HLC merge services**: `src/AirGap/StellaOps.AirGap.Time/Services/` -- Hybrid Logical Clock for multi-node sync
- **Deterministic time fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/`
- **Bundle integration**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/` -- TimeAnchorContent, SnapshotBundleWriter.Sections.TimeAnchor, SnapshotBundleReader.Verify.TimeAnchor
- **Attestor timestamping**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/TimeCorrelationValidator.Validate.cs`, `TimeCorrelationStatus.cs`
- **Tests**: `src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/` (TimeAnchorLoaderTests, StalenessCalculatorTests, TimeVerificationServiceTests, TimeTokenParserTests, etc.)
## E2E Test Plan
- [ ] Verify time anchor is embedded in air-gap bundle with correct ISO-8601 format
- [ ] Verify staleness calculation correctly computes age with +/-5s tolerance
- [ ] Verify time anchor verification rejects bundles with tampered timestamps
- [ ] Verify HLC merge produces consistent ordering across multiple nodes
## Related Documentation
- Source: SPRINT_0150_0001_0002_mirror_time.md

24
docs/features/unchecked/airgap/offline-kit-metrics-and-diagnostics.md Normal file
View File

@@ -0,0 +1,24 @@
# Offline Kit Metrics and Diagnostics
## Module
AirGap
## Status
IMPLEMENTED
## Description
Offline kit metrics, telemetry, and startup diagnostics for monitoring air-gap bundle health.
## Implementation Details
- **Telemetry**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapTelemetry.cs` -- air-gap specific telemetry
- **Telemetry options**: `src/AirGap/StellaOps.AirGap.Controller/Options/AirGapTelemetryOptions.cs` -- telemetry configuration
- **Startup diagnostics**: `src/AirGap/StellaOps.AirGap.Controller/Services/AirGapStartupDiagnosticsHostedService.cs` -- diagnostics at startup
- **Importer telemetry**: `src/AirGap/StellaOps.AirGap.Importer/Telemetry/` -- import-specific metrics
- **Status endpoints**: `src/AirGap/StellaOps.AirGap.Controller/Endpoints/Contracts/AirGapStatusResponse.cs` -- status reporting
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify AirGap status endpoint returns correct metrics
- [ ] Test startup diagnostics detect and report issues
- [ ] Verify telemetry captures bundle import/export operations
- [ ] Test importer telemetry tracks import duration and outcomes

32
docs/features/unchecked/airgap/time-anchoring-for-offline-environments.md Normal file
View File

@@ -0,0 +1,32 @@
# Time Anchoring for Offline Environments
## Module
AirGap
## Status
IMPLEMENTED
## Description
Time anchoring module with anchor loader, token parser, staleness calculator, and sealed startup validation for air-gapped environments. Includes HLC (Hybrid Logical Clock) merge services for multi-node sync.
## Implementation Details
- **Time module**: `src/AirGap/StellaOps.AirGap.Time/` -- dedicated time anchoring service
- **Controllers**: `src/AirGap/StellaOps.AirGap.Time/Controllers/` -- time anchor API controllers
- **Services**: `src/AirGap/StellaOps.AirGap.Time/Services/` -- HLC merge, staleness calculation, anchor loading
- **Parsing**: `src/AirGap/StellaOps.AirGap.Time/Parsing/` -- time anchor token parsing
- **Models**: `src/AirGap/StellaOps.AirGap.Time/Models/` -- time anchor data models
- **Stores**: `src/AirGap/StellaOps.AirGap.Time/Stores/` -- time anchor state stores
- **Config**: `src/AirGap/StellaOps.AirGap.Time/Config/` -- time anchor configuration
- **Hooks**: `src/AirGap/StellaOps.AirGap.Time/Hooks/` -- time-related event hooks
- **Health**: `src/AirGap/StellaOps.AirGap.Time/Health/` -- time health checks
- **Fixtures**: `src/AirGap/StellaOps.AirGap.Time/fixtures/` -- deterministic time test data
- **Tests**: `src/AirGap/__Tests/StellaOps.AirGap.Time.Tests/`
- **Attestor timestamping**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/TimeCorrelationValidator.Validate.cs`, `TimeCorrelationStatus.cs`
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Verify time anchor loading from sealed bundles
- [ ] Test token parsing extracts correct anchor timestamps
- [ ] Test staleness calculator produces correct durations
- [ ] Verify HLC merge service handles multi-node sync correctly
- [ ] Test health checks report time anchor status

25
docs/features/unchecked/airgap/trust-profile-management.md Normal file
View File

@@ -0,0 +1,25 @@
# Trust Profile Management (CLI and Bundle)
## Module
AirGap
## Status
IMPLEMENTED
## Description
Named trust profiles (global, eu-eidas, us-fips, bg-gov) for configuring TSA chains, signing algorithms, and verification policies per deployment context. Includes CLI commands (stella trust-profile list/apply/show) and bundle-level profile loading. Distinct from the known "Trust Anchor Management" and "Regional Crypto Profiles" which are about crypto algorithms, not deployment-context trust configuration profiles.
## Implementation Details
- **Bundle trust profiles**: `src/AirGap/__Libraries/StellaOps.AirGap.Bundle/` -- named trust profile definitions and loading
- **Trust root config**: `src/AirGap/StellaOps.AirGap.Importer/Contracts/TrustRootConfig.cs` -- trust root configuration for import verification
- **AirGap policy**: `src/AirGap/StellaOps.AirGap.Policy/` -- policy enforcement for trust profiles, includes analyzers and tests
- **Offline verification policy**: `src/AirGap/StellaOps.AirGap.Importer/Policy/OfflineVerificationPolicy.cs`, `OfflineVerificationPolicyLoader.cs`
- **Trust anchor verification**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/TrustAnchorVerificationStep.cs`
- **Source**: SPRINT_20260120_029_AirGap_offline_bundle_contract.md
## E2E Test Plan
- [ ] Verify CLI `stella trust-profile list` shows available profiles
- [ ] Test `stella trust-profile apply` switches active profile
- [ ] Test `stella trust-profile show` displays profile configuration
- [ ] Verify trust profiles configure correct TSA chains and signing algorithms
- [ ] Test bundle-level profile loading from bundle metadata

21
docs/features/unchecked/analyzers/roslyn-analyzer-for-canonicalization-enforcement.md Normal file
View File

@@ -0,0 +1,21 @@
# Roslyn Analyzer for Canonicalization Enforcement (STELLA0100)
## Module
__Analyzers
## Status
IMPLEMENTED
## Description
Custom Roslyn static analyzer (diagnostic STELLA0100) that enforces canonicalization boundaries at compile time. Detects code paths that cross resolver boundaries without proper canonicalization, preventing non-deterministic serialization from leaking into deterministic evaluation pipelines. Includes ResolverBoundaryAttribute for marking boundary methods.
## Implementation Details
- **Canonicalization Boundary Analyzer**: `src/__Analyzers/StellaOps.Determinism.Analyzers/CanonicalizationBoundaryAnalyzer.cs` -- Roslyn `DiagnosticAnalyzer` registered for C# syntax; reports diagnostic `STELLA0100` when code crosses canonicalization boundaries without proper serialization guards. Analyzes method invocations and property accesses to detect non-deterministic serialization patterns at resolver boundaries.
- **Analyzer Tests**: `src/__Analyzers/StellaOps.Determinism.Analyzers.Tests/CanonicalizationBoundaryAnalyzerTests.cs` -- unit tests verifying the analyzer correctly reports STELLA0100 diagnostics for boundary violations and does not produce false positives for correctly guarded code.
## E2E Test Plan
- [ ] Add the `StellaOps.Determinism.Analyzers` package to a test project and verify the STELLA0100 diagnostic is reported when a method crosses a canonicalization boundary without a serialization guard
- [ ] Verify the analyzer produces no diagnostics for code that correctly uses canonical serializers (e.g., `LedgerCanonicalJsonSerializer`, `Rfc8785JsonCanonicalizer`)
- [ ] Verify the analyzer integrates with `dotnet build` and causes a build warning (or error if configured via `.editorconfig`) for violations
- [ ] Verify the analyzer does not report false positives on non-serialization code paths or methods not annotated with `ResolverBoundaryAttribute`
- [ ] Verify the analyzer works with partial classes and cross-file method calls within the same assembly

21
docs/features/unchecked/aoc/aoc-roslyn-source-analyzer.md Normal file
View File

@@ -0,0 +1,21 @@
# AOC Roslyn Source Analyzer (Compile-Time Contract Enforcement)
## Module
Aoc
## Status
IMPLEMENTED
## Description
Roslyn source analyzer that enforces ingestion contracts at compile time via diagnostic rules (AOC0001, AOC0002, AOC0003), preventing forbidden field access patterns in AOC-related code.
## Implementation Details
- **Intent Analyzer**: `src/__Analyzers/StellaOps.TestKit.Analyzers/IntentAnalyzer.cs` -- Roslyn `DiagnosticAnalyzer` that enforces test intent declaration contracts. Reports AOC0001 for missing intent attributes on test methods, AOC0002 for inconsistent intent declarations across test classes, and AOC0003 for intent/naming convention mismatches.
- **Intent Analyzer Tests**: `src/__Analyzers/StellaOps.TestKit.Analyzers.Tests/IntentAnalyzerTests.cs` -- unit tests verifying the analyzer correctly reports AOC diagnostics for missing or mismatched intent declarations and validates that properly annotated tests produce no diagnostics.
## E2E Test Plan
- [ ] Add the `StellaOps.TestKit.Analyzers` package to a test project and verify AOC0001 is reported for test methods missing intent attributes
- [ ] Verify AOC0002 is reported when a test class has inconsistent intent declarations across its test methods
- [ ] Verify AOC0003 is reported for intent/naming convention mismatches (e.g., a test named `*Integration*` with a unit test intent attribute)
- [ ] Verify no diagnostics are reported for correctly attributed test methods following the naming convention
- [ ] Verify the analyzer integrates with `dotnet build` and CI pipelines to catch ingestion contract violations before merge

28
docs/features/unchecked/api/policy-trace-panel.md Normal file
View File

@@ -0,0 +1,28 @@
# Policy trace panel ("why blocked" / "what would make it pass")
## Module
Api
## Status
IMPLEMENTED
## Description
Block explanation API controller, CLI explain commands, and verdict rationale renderer provide policy trace functionality explaining why artifacts are blocked and what would unblock them.
## Implementation Details
- **Scoring Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/ScoringEndpoints.cs` -- exposes REST endpoints for querying scored findings with policy trace context, including why a finding is blocked and which evidence would change the outcome.
- **Evidence Graph Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/EvidenceGraphEndpoints.cs` -- serves evidence graph subgraphs connecting findings to attestations, VEX statements, and policy decisions, showing the trace of what inputs led to the verdict.
- **Finding Summary Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/FindingSummaryEndpoints.cs` -- returns finding summaries with policy evaluation trace context including rule names, evaluation outcomes, and evidence references.
- **Finding Scoring Service**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/FindingScoringService.cs` -- computes and caches finding scores combining CVSS, EPSS, VEX, and reachability signals; explains score composition.
- **Evidence Graph Builder**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/EvidenceGraphBuilder.cs` -- constructs evidence subgraphs from ledger events and attestation pointers for trace visualization.
- **VEX Consensus Service**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/VexConsensusService.cs` -- aggregates VEX decisions across sources to explain the consensus status.
- **Policy Evaluation Service**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Policy/PolicyEngineEvaluationService.cs` -- evaluates policy rules against findings and returns detailed trace output explaining each rule's contribution.
- **Inline Policy Evaluation Service**: `src/Findings/StellaOps.Findings.Ledger/Infrastructure/Policy/InlinePolicyEvaluationService.cs` -- lightweight inline evaluation for single-finding traces without external policy engine calls.
- **Tests**: `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringEndpointsIntegrationTests.cs`, `ScoringAuthorizationTests.cs`, `PolicyEngineEvaluationServiceTests.cs`, `InlinePolicyEvaluationServiceTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Services/EvidenceGraphBuilderTests.cs`, `FindingScoringServiceTests.cs`
## E2E Test Plan
- [ ] Submit a finding that fails policy evaluation and query the trace endpoint to verify the response explains which rule blocked it and what evidence is required to pass
- [ ] Query the evidence graph endpoint for a blocked finding and verify the returned subgraph contains nodes for the finding, its attestations, VEX statements, and policy rules with correct edge relationships
- [ ] Modify a finding's VEX status to "not_affected" and re-query the trace to verify the explanation updates to reflect the new unblocked status
- [ ] Verify authorization: attempt to query trace endpoints without the required scope and confirm a 403 response
- [ ] Verify the inline policy evaluation service returns the same trace results as the full policy engine evaluation service for a simple single-rule scenario

28
docs/features/unchecked/api/score-api-endpoints.md Normal file
View File

@@ -0,0 +1,28 @@
# Score API Endpoints (/api/v1/score/evaluate, /score/weights)
## Module
Api
## Status
IMPLEMENTED
## Description
The advisory proposed dedicated REST endpoints for score evaluation, weight management, and replay. These were marked TODO (TSF-005, TSF-011) and have not been implemented.
## Implementation Details
- **Scoring Endpoints**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/ScoringEndpoints.cs` -- maps scoring-related routes for querying scored findings, score history, and aggregate metrics.
- **Scored Findings Query Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsQueryService.cs` (implements `IScoredFindingsQueryService`) -- queries findings with their computed scores, supports filtering by severity, status, and component.
- **Scored Findings Query Models**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsQueryModels.cs` -- query/response models for scored findings queries.
- **Scored Findings Export Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoredFindingsExportService.cs` -- exports scored findings as CSV/JSON for reporting and compliance.
- **Scoring Metrics Service**: `src/Findings/StellaOps.Findings.Ledger/Services/ScoringMetricsService.cs` -- computes aggregate scoring metrics (mean score, distribution, trend).
- **Score History Store**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/ScoreHistoryStore.cs` -- persists score snapshots over time for trend analysis.
- **Scoring Contracts**: `src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/ScoringContracts.cs` -- API DTOs for score requests and responses.
- **Tests**: `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/ScoredFindingsQueryServiceTests.cs`, `src/Findings/__Tests/StellaOps.Findings.Ledger.Tests/Integration/ScoringEndpointsIntegrationTests.cs`, `ScoringObservabilityTests.cs`
## E2E Test Plan
- [ ] Query the score API with no filters and verify all findings are returned with their computed scores
- [ ] Apply severity and component filters and verify only matching findings are returned
- [ ] Export scored findings as CSV and verify the output contains correct headers and data rows matching the query results
- [ ] Verify scoring metrics endpoint returns aggregate statistics (count, mean score, percentile distribution)
- [ ] Verify authorization: confirm the scoring API requires the `findings:read` scope
- [ ] Verify pagination: query with page size and offset parameters and confirm correct paging behavior

25
docs/features/unchecked/attestor/adaptive-noise-gating-for-vulnerability-graphs.md Normal file
View File

@@ -0,0 +1,25 @@
# Adaptive Noise Gating for Vulnerability Graphs
## Module
Attestor
## Status
IMPLEMENTED
## Description
Four-part noise reduction system: (1) Semantic edge deduplication collapsing redundant edges with provenance sets, (2) Proof Strength hierarchy (Authoritative=100 > BinaryProof=80 > StaticAnalysis=60 > Heuristic=40), (3) Stability damping gate preventing flip-flopping verdicts with hysteresis thresholds, (4) Delta sections categorizing changes as New/Resolved/ConfidenceUp/ConfidenceDown/PolicyImpact.
## Implementation Details
- **ProofChain Graph**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/` -- `InMemoryProofGraphService` (with `.Mutation`, `.Queries`, `.Subgraph` partials) provides the in-memory graph with node/edge deduplication. `ProofGraphEdge` and `ProofGraphEdgeType` define edge semantics including provenance sets. `ProofGraphNode` and `ProofGraphNodeType` classify node types with strength levels.
- **Delta Verdict System**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` and `DeltaVerdictPredicate.Budget.cs` implement delta categorization (New/Resolved/ConfidenceUp/ConfidenceDown). `DeltaVerdictChange.cs` and `VerdictDeltaSummary.cs` track per-finding changes.
- **Evidence Confidence**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Confidence.cs` computes confidence scores using proof-strength hierarchy. `EvidenceSummary.cs` aggregates evidence with strength weighting.
- **Change Trace**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers` and `.Mapping` partials) tracks changes over time for stability damping.
- **Verdict Delta Predicates**: `VerdictFindingChange.cs`, `VerdictRuleChange.cs` categorize changes by policy impact.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/DeltaVerdictStatementTests.cs`, `ChangeTrace/ChangeTracePredicateTests.cs`
## E2E Test Plan
- [ ] Create a proof graph with redundant edges (same source/target, different provenance) and verify that `InMemoryProofGraphService` deduplicates them into a single edge with merged provenance sets
- [ ] Submit evidence at different proof-strength tiers (Authoritative, BinaryProof, StaticAnalysis, Heuristic) and verify the `BackportProofGenerator.Confidence` produces correct weighted confidence scores
- [ ] Generate two consecutive verdict snapshots with minor score fluctuations below the hysteresis threshold and verify that `ChangeTraceAttestationService` suppresses the flip-flop delta
- [ ] Generate a delta verdict where findings are added, resolved, and confidence-changed, then verify `DeltaVerdictPredicate` categorizes each change correctly (New/Resolved/ConfidenceUp/ConfidenceDown/PolicyImpact)
- [ ] Query a subgraph via `InMemoryProofGraphService.Subgraph` and verify only reachable nodes from the root are included, with correct edge types

30
docs/features/unchecked/attestor/ai-assisted-explanation-and-classification.md Normal file
View File

@@ -0,0 +1,30 @@
# AI-Assisted Explanation and Classification
## Module
Attestor
## Status
IMPLEMENTED
## Description
AI authority classifier with explanation scoring, citation references, explanation types, and model identifiers. AI artifact verification step integrates into the verification pipeline.
## Implementation Details
- **AIAuthorityClassifier**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs` (with `.Explanation`, `.ExplanationScore`, `.PolicyDraft`, `.PolicyDraftScore`, `.Remediation`, `.RemediationScore`, `.VexDraft`, `.VexDraftScore` partials) -- classifies AI outputs into `Suggestion`, `EvidenceBacked`, or `AuthorityThreshold` based on citation rate, verified rate, and confidence score.
- **AIAuthorityThresholds**: `AIAuthorityThresholds.cs` -- configurable thresholds: `MinCitationRate` (default 0.8), `MinConfidenceScore` (default 0.7), `MinVerifiedCitationRate` (default 0.9), `AuthorityThresholdScore` (default 0.95).
- **AIArtifactAuthority enum**: `AIArtifactAuthority.cs` -- three levels: Suggestion (no evidence), EvidenceBacked (citations verified), AuthorityThreshold (meets auto-processing score).
- **AIExplanationPredicate**: `AIExplanationPredicate.cs` -- record extending `AIArtifactBasePredicate` with `ExplanationType`, `Content`, `Citations`, `ConfidenceScore`, `CitationRate`, `Subject`, `ContextScope`.
- **AIExplanationCitation**: `AIExplanationCitation.cs` -- links claims to evidence with `ClaimIndex`, `ClaimText`, `EvidenceId` (sha256 format), `EvidenceType`, `Verified` flag.
- **AIExplanationType enum**: `AIExplanationType.cs` -- Exploitability, CodePath, PolicyDecision, RiskFactors, RemediationOptions, PlainLanguageSummary, EvidenceChain.
- **AIModelIdentifier**: `AIModelIdentifier.cs` -- tracks provider/model/version with optional `WeightsDigest` for local models.
- **Verification Step**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/AIArtifactVerificationStep.cs` (with `.Execute`, `.Classify`, `.Helpers`, `.Summary`, `.VerifyParse`, `.VerifyValidation` partials) -- integrates into `VerificationPipeline` to verify AI artifacts in proof bundles.
- **Tests**: `__Libraries/StellaOps.Attestor.ProofChain.Tests/AI/AIAuthorityClassifierTests.cs`
## E2E Test Plan
- [ ] Create an `AIExplanationPredicate` with citation rate >= 0.8, verified rate >= 0.9, and confidence >= 0.7, classify via `AIAuthorityClassifier`, and verify it returns `EvidenceBacked`
- [ ] Create an explanation with citation rate < 0.8 and verify classifier returns `Suggestion` with appropriate reason messages
- [ ] Create an explanation with quality score >= 0.95 and verify classifier returns `AuthorityThreshold`
- [ ] Submit a proof bundle containing AI artifacts through `AIArtifactVerificationStep.ExecuteAsync` and verify all artifacts are validated (parse, schema, classification)
- [ ] Submit a proof bundle with invalid AI artifacts (malformed predicate) and verify the verification step returns `Passed = false` with error details
- [ ] Create an `AIExplanationCitation` with `Verified = false` and verify it lowers the verified rate below the threshold, causing the classifier to return `Suggestion`
- [ ] Verify `AIModelIdentifier.ToString()` produces the canonical `provider:model:version` format

31
docs/features/unchecked/attestor/ai-authority-classification-engine.md Normal file
View File

@@ -0,0 +1,31 @@
# AI Authority Classification Engine
## Module
Attestor
## Status
IMPLEMENTED
## Description
Authority classification engine that determines whether AI outputs are evidence-backed (authoritative) or suggestion-only, with configurable thresholds and scoring across multiple artifact types.
## Implementation Details
- **Core Classifier**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIAuthorityClassifier.cs` -- partial class with `DetermineAuthority()` method that evaluates `citationRate`, `verifiedRate`, `confidenceScore`, and `qualityScore` against configurable thresholds.
- **Artifact-Specific Scoring**: Partial files implement scoring for each artifact type:
- `AIAuthorityClassifier.Explanation.cs` / `AIAuthorityClassifier.ExplanationScore.cs` -- explanation classification and scoring
- `AIAuthorityClassifier.PolicyDraft.cs` / `AIAuthorityClassifier.PolicyDraftScore.cs` -- policy draft classification
- `AIAuthorityClassifier.Remediation.cs` / `AIAuthorityClassifier.RemediationScore.cs` -- remediation plan classification
- `AIAuthorityClassifier.VexDraft.cs` / `AIAuthorityClassifier.VexDraftScore.cs` -- VEX statement draft classification
- **Authority Levels**: `AIArtifactAuthority.cs` -- `Suggestion` (no evidence backing), `EvidenceBacked` (citations verified, evidence resolvable), `AuthorityThreshold` (auto-processing eligible)
- **Thresholds Config**: `AIAuthorityThresholds.cs` -- `MinCitationRate` (0.8), `MinConfidenceScore` (0.7), `MinVerifiedCitationRate` (0.9), `AuthorityThresholdScore` (0.95), `RequireResolvableEvidence` (true)
- **Classification Result**: `AIAuthorityClassificationResult.cs` -- captures authority level, reasons, and individual scores
- **Evidence Resolution**: Constructor accepts optional `Func<string, bool>` evidence resolver to verify that cited evidence IDs are resolvable
- **Tests**: `__Libraries/StellaOps.Attestor.ProofChain.Tests/AI/AIAuthorityClassifierTests.cs`
## E2E Test Plan
- [ ] Classify an explanation with all metrics above thresholds and verify `EvidenceBacked` result with three reason entries (citation rate, verified rate, confidence)
- [ ] Classify a policy draft with `qualityScore >= 0.95` and verify `AuthorityThreshold` result regardless of other metrics
- [ ] Classify a remediation plan with `citationRate = 0.5` and verify `Suggestion` result with reason mentioning citation rate below threshold
- [ ] Classify a VEX draft with an evidence resolver that returns `false` for some evidence IDs and verify the verified rate drops below threshold
- [ ] Override `AIAuthorityThresholds` with stricter values (e.g., `MinCitationRate = 0.95`) and verify classification changes accordingly
- [ ] Verify all four artifact-type classifiers (Explanation, PolicyDraft, Remediation, VexDraft) produce correct `AIAuthorityClassificationResult` with type-specific scoring

29
docs/features/unchecked/attestor/ai-explanation-attestation-types.md Normal file
View File

@@ -0,0 +1,29 @@
# AI Explanation Attestation Types (Zastava Companion Predicates)
## Module
Attestor
## Status
IMPLEMENTED
## Description
AI explanation attestation predicates with model identifiers, decoding parameters, and citation support for evidence-grounded AI explanations. Supports deterministic replay.
## Implementation Details
- **AIExplanationPredicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIExplanationPredicate.cs` -- record type extending `AIArtifactBasePredicate` with fields: `ExplanationType`, `Content` (markdown), `Citations` (list of `AIExplanationCitation`), `ConfidenceScore`, `CitationRate`, `Subject`, `ContextScope`.
- **AIArtifactBasePredicate**: `AIArtifactBasePredicate.cs` -- base record providing common AI artifact fields including `ModelIdentifier`, `DecodingParameters`, `GeneratedAt` timestamp.
- **AIModelIdentifier**: `AIModelIdentifier.cs` -- `Provider`, `Model`, `Version`, optional `WeightsDigest` (SHA-256 for local models). Canonical format: `provider:model:version`.
- **AIDecodingParameters**: `AIDecodingParameters.cs` -- captures generation parameters (temperature, top-p, etc.) for deterministic replay.
- **AIExplanationCitation**: `AIExplanationCitation.cs` -- links claims to evidence: `ClaimIndex`, `ClaimText`, `EvidenceId` (sha256:hex), `EvidenceType` (sbom/vex/reachability/runtime), `Verified` flag.
- **AIExplanationType enum**: `AIExplanationType.cs` -- Exploitability, CodePath, PolicyDecision, RiskFactors, RemediationOptions, PlainLanguageSummary, EvidenceChain.
- **Replay Support**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Replay/` -- `AIArtifactReplayManifest.cs`, `IAIArtifactReplayer.cs`, `ReplayInputArtifact.cs`, `ReplayPromptTemplate.cs`, `ReplayResult.cs`, `ReplayVerificationResult.cs` implement deterministic replay of AI artifacts.
- **Media Types**: `__Libraries/StellaOps.Attestor.ProofChain/MediaTypes/AIArtifactMediaTypes.cs` -- defines content-type constants for AI artifacts.
- **Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/AIExplanationStatement.cs` -- wraps the predicate as an in-toto statement.
## E2E Test Plan
- [ ] Create an `AIExplanationPredicate` with all required fields (explanation type, content, citations, confidence, citation rate, subject) and serialize to JSON, verifying all fields are correctly mapped via `JsonPropertyName` attributes
- [ ] Deserialize a JSON payload back to `AIExplanationPredicate` and verify round-trip fidelity
- [ ] Create a replay manifest from an `AIExplanationPredicate` containing `AIDecodingParameters` and verify the manifest captures model identifier and decoding params for reproducibility
- [ ] Verify `AIExplanationCitation` correctly links claims to evidence by creating citations with mixed `Verified` states and computing citation rate
- [ ] Create explanations of each `AIExplanationType` (Exploitability, CodePath, PolicyDecision, RiskFactors, RemediationOptions, PlainLanguageSummary, EvidenceChain) and verify type serialization
- [ ] Wrap predicate in `AIExplanationStatement` and verify it produces a valid in-toto statement with correct predicate type

30
docs/features/unchecked/attestor/ai-remediation-plan-attestation.md Normal file
View File

@@ -0,0 +1,30 @@
# AI Remediation Plan Attestation
## Module
Attestor
## Status
IMPLEMENTED
## Description
Predicate types for AI-generated remediation plans including steps, risk assessments, and action types as signed attestation artifacts.
## Implementation Details
- **AIRemediationPlanPredicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIRemediationPlanPredicate.cs` -- extends `AIArtifactBasePredicate` with remediation-specific fields.
- **RemediationStep**: `RemediationStep.cs` -- describes a single remediation action with status tracking.
- **RemediationActionType enum**: `RemediationActionType.cs` -- types of remediation actions (e.g., upgrade, patch, configuration change).
- **RemediationStepStatus enum**: `RemediationStepStatus.cs` -- tracks step execution status.
- **RemediationRiskAssessment**: `RemediationRiskAssessment.cs` -- assesses risk impact of applying the remediation.
- **RemediationVerificationStatus enum**: `RemediationVerificationStatus.cs` -- verification state after remediation application.
- **Classifier Integration**: `AIAuthorityClassifier.Remediation.cs` classifies remediation plans; `AIAuthorityClassifier.RemediationScore.cs` computes quality scores for evidence-backing determination.
- **Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/AIRemediationPlanStatement.cs` -- wraps predicate as in-toto statement.
- **Base Class**: `AIArtifactBasePredicate.cs` provides `ModelIdentifier` (`AIModelIdentifier`), `DecodingParameters` (`AIDecodingParameters`), and timestamp fields inherited by the remediation predicate.
## E2E Test Plan
- [ ] Create an `AIRemediationPlanPredicate` with multiple `RemediationStep` entries of different `RemediationActionType` values and verify JSON serialization
- [ ] Create a remediation plan with a `RemediationRiskAssessment` and verify the risk level is correctly captured in the predicate
- [ ] Classify a remediation plan via `AIAuthorityClassifier.Remediation` with high citation/evidence scores and verify `EvidenceBacked` authority
- [ ] Classify a remediation plan with low evidence backing and verify `Suggestion` authority
- [ ] Wrap the predicate in `AIRemediationPlanStatement` and verify it produces a valid in-toto statement
- [ ] Verify `RemediationStepStatus` progression (e.g., Pending -> InProgress -> Completed) is correctly serialized
- [ ] Create a remediation plan with `RemediationVerificationStatus` set and verify the verification state persists through serialization

31
docs/features/unchecked/attestor/asn-1-native-rfc-3161-timestamp-token-parsing.md Normal file
View File

@@ -0,0 +1,31 @@
# ASN.1-Native RFC 3161 Timestamp Token Parsing
## Module
Attestor
## Status
IMPLEMENTED
## Description
Native ASN.1 parsing of RFC 3161 timestamp tokens using System.Formats.Asn1 (no BouncyCastle dependency). Includes request encoding, response decoding, TstInfo extraction, certificate chain parsing, and signature verification. This is the low-level implementation detail behind the known "RFC-3161 TSA Client" entry.
## Implementation Details
- **Timestamp Service**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampService.cs` (with `.Helpers`, `.Timestamp`, `.Verify` partials) -- core service handling RFC 3161 timestamp request/response lifecycle.
- **IAttestationTimestampService**: `IAttestationTimestampService.cs` -- interface for timestamp operations.
- **Timestamp Policy**: `TimestampPolicy.cs`, `TimestampPolicyEvaluator.cs`, `TimestampPolicyResult.cs` -- policy evaluation for timestamp requirements.
- **TSA Certificate Validation**: `TsaCertificateStatus.cs` -- certificate chain status. `TstVerificationStatus.cs` -- TstInfo verification result.
- **Time Correlation**: `TimeCorrelationValidator.cs` (with `.Async`, `.GapChecks`, `.Validate` partials) -- validates timestamp consistency across multiple TSA sources. `TimeCorrelationPolicy.cs`, `TimeCorrelationResult.cs`, `TimeCorrelationStatus.cs` define correlation rules.
- **Time Consistency**: `TimeConsistencyResult.cs` -- result of cross-TSA time consistency checks.
- **Multi-Provider Fallback**: `src/Attestor/__Libraries/StellaOps.Attestor.Infrastructure/Timestamping/TsaMultiProvider.cs` -- fallback chain across multiple TSA providers.
- **Configuration**: `AttestationTimestampOptions.cs`, `AttestationTimestampServiceOptions.cs`, `AttestationTimestampVerificationOptions.cs`, `AttestationTimestampPolicyContext.cs`.
- **Timestamped Attestation**: `TimestampedAttestation.cs` -- wraps an attestation with its timestamp token.
- **Tests**: `StellaOps.Attestor/StellaOps.Attestor.Tests/Timestamping/AttestationTimestampServiceTests.cs`, `AttestationTimestampPolicyTests.cs`, `TimeCorrelationValidatorTests.cs`
## E2E Test Plan
- [ ] Create a timestamp request for a SHA-256 hash via `AttestationTimestampService`, send to a TSA endpoint, and verify the response contains a valid TstInfo with matching hash
- [ ] Parse an RFC 3161 timestamp token response and verify certificate chain extraction produces valid `TsaCertificateStatus`
- [ ] Verify a timestamp token signature against the TSA certificate and confirm `TstVerificationStatus` indicates success
- [ ] Configure `TimeCorrelationValidator` with two TSA sources and verify `TimeConsistencyResult` passes when timestamps are within configured gap tolerance
- [ ] Configure `TimeCorrelationValidator` with a strict gap threshold and submit timestamps with drift exceeding the threshold, verifying `TimeCorrelationStatus` indicates failure
- [ ] Test `TsaMultiProvider` fallback by configuring a primary TSA that fails and a secondary that succeeds, verifying the timestamp is obtained from the fallback provider
- [ ] Create a `TimestampedAttestation` wrapping a DSSE envelope and verify the timestamp token is correctly associated

29
docs/features/unchecked/attestor/attestable-exception-objects-with-expiries-and-audit-trails.md Normal file
View File

@@ -0,0 +1,29 @@
# Attestable Exception Objects with Expiries and Audit Trails
## Module
Attestor
## Status
IMPLEMENTED
## Description
Exceptions are modeled as auditable objects with IDs, owners, expiry dates, and audit trails. The exception ledger UI shows active/pending/expiring counts. Signed override badges indicate cryptographic attestation of exceptions.
## Implementation Details
- **Exception Reference**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Services/ExceptionRef.cs` -- models exception objects with ID, owner, and expiry metadata.
- **Budget Exception Entry**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/BudgetExceptionEntry.cs` -- exception entry within the uncertainty budget system, tracking exception scope and validity period.
- **Budget System Integration**: `BudgetDefinition.cs`, `BudgetObservation.cs`, `BudgetViolationEntry.cs` -- exceptions integrate with the uncertainty budget to allow controlled risk acceptance.
- **VEX Override System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/VexOverridePredicate.cs` -- signed VEX overrides serve as attestable exceptions. `VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods` partials) constructs override predicates. `VexOverrideDecision.cs` captures the decision rationale.
- **Evidence Reference**: `VexOverride/EvidenceReference.cs` -- links exception decisions to supporting evidence.
- **Audit Trail**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Audit/AuditHashLogger.cs` (with `.Validation` partial) logs hash-based audit records. `HashAuditRecord.cs` captures individual audit entries. `AuditArtifactTypes.cs` defines auditable artifact types.
- **Persistence**: `src/Attestor/__Libraries/StellaOps.Attestor.Persistence/Entities/AuditLogEntity.cs` -- database entity for audit log persistence.
- **DSSE Signing**: Exceptions are signed via `ProofChainSigner` to produce cryptographic attestation (signed override badges).
## E2E Test Plan
- [ ] Create an exception via `BudgetExceptionEntry` with owner, expiry date, and justification, then verify all fields serialize correctly
- [ ] Build a `VexOverridePredicate` with `VexOverridePredicateBuilder`, sign it via DSSE, and verify the signed envelope contains the override decision
- [ ] Create an exception with an expiry date in the past and verify budget evaluation treats it as expired (no longer valid)
- [ ] Create an exception with a future expiry and verify it is counted as active in the budget check
- [ ] Log exception creation via `AuditHashLogger` and verify `HashAuditRecord` captures the artifact type, timestamp, and hash
- [ ] Query audit trail for a specific exception ID and verify the complete history of changes is returned
- [ ] Verify that `ExceptionRef` correctly links to `EvidenceReference` for evidence-backed exception justification

29
docs/features/unchecked/attestor/attestable-reachability-slices.md Normal file
View File

@@ -0,0 +1,29 @@
# Attestable reachability slices (DSSE/in-toto signed evidence)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Reachability witness payloads wrapped in DSSE-signed attestations provide verifiable evidence slices for triage decisions.
## Implementation Details
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path` partial) -- defines the witness payload containing call paths from entry points to vulnerable functions.
- **Witness Path Nodes**: `WitnessPathNode.cs`, `WitnessCallPathNode.cs` -- model individual nodes in the reachability call path.
- **Witness Evidence Metadata**: `WitnessEvidenceMetadata.cs` -- metadata about the evidence source (scanner, analysis tool, timestamp).
- **Witness Gate Info**: `WitnessGateInfo.cs` -- gate information for policy evaluation of witness data.
- **Reachability Witness Statement**: `ReachabilityWitnessStatement.cs` -- wraps witness payload as an in-toto statement with subject and predicate.
- **Reachability Subgraph**: `ReachabilitySubgraphStatement.cs` -- subgraph attestation for minimal reachability evidence. `ReachabilitySubgraphPredicate.cs` defines the subgraph predicate.
- **DSSE Signing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` (with `.Verification` partial) signs statements. `DsseEnvelope.cs`, `DsseSignature.cs` model the envelope.
- **Path Witness Predicate Types**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs` -- defines predicate type URIs for path witnesses.
- **Proof Emitter**: `IProofEmitter.cs` -- interface for emitting signed proofs including reachability slices.
## E2E Test Plan
- [ ] Create a `ReachabilityWitnessPayload` with a call path containing 3+ nodes from entry point to vulnerable function, wrap in `ReachabilityWitnessStatement`, and verify the statement structure
- [ ] Sign the witness statement via `ProofChainSigner` and verify the DSSE envelope contains valid signature and payload
- [ ] Verify the signed reachability slice via `ProofChainSigner.Verification` and confirm signature validation passes
- [ ] Create a `ReachabilitySubgraphPredicate` with a minimal subgraph (entry point -> intermediate -> sink) and verify it serializes with correct predicate type
- [ ] Modify the signed envelope payload and verify that signature verification fails (tamper detection)
- [ ] Create witness payloads with `WitnessEvidenceMetadata` from different analysis tools and verify metadata is preserved in the signed attestation

32
docs/features/unchecked/attestor/attestation-bundle-verification.md Normal file
View File

@@ -0,0 +1,32 @@
# Attestation Bundle Verification
## Module
Attestor
## Status
IMPLEMENTED
## Description
Sigstore bundle verification with dedicated verifier and bundler services for validating attestation integrity.
## Implementation Details
- **Sigstore Bundle Verifier**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Verification/SigstoreBundleVerifier.cs` -- verifies Sigstore bundles including signature validation and transparency log verification.
- **Bundle Verification Result**: `BundleVerificationResult.cs` -- result model with pass/fail status and detailed error messages.
- **Sigstore Bundle Model**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Models/SigstoreBundle.cs` -- represents a Sigstore bundle with `VerificationMaterial`, `TransparencyLogEntry`, and `InclusionProof`.
- **Bundle Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Builder/SigstoreBundleBuilder.cs` -- constructs Sigstore bundles from attestation components.
- **Bundle Serializer**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundle/Serialization/SigstoreBundleSerializer.cs` -- JSON serialization/deserialization of Sigstore bundles.
- **Attestation Bundler**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs` -- high-level bundling service implementing `IAttestationBundler`. Aggregates multiple attestations into bundles.
- **Bundle Aggregator**: `IBundleAggregator.cs` -- interface for aggregating attestations.
- **Bundle Store**: `IBundleStore.cs` -- persistence interface for bundles.
- **Org Key Signing**: `Signing/KmsOrgKeySigner.cs` -- signs bundles with organization-level KMS keys.
- **Verification Engine**: `src/Attestor/StellaOps.Attestor.Verify/AttestorVerificationEngine.cs` -- top-level verification engine that orchestrates bundle and attestation verification.
- **Tests**: `__Tests/StellaOps.Attestor.Bundle.Tests/SigstoreBundleVerifierTests.cs`, `SigstoreBundleBuilderTests.cs`, `SigstoreBundleSerializerTests.cs`, `__Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs`
## E2E Test Plan
- [ ] Build a Sigstore bundle via `SigstoreBundleBuilder` with a signed attestation, inclusion proof, and verification material, then verify it via `SigstoreBundleVerifier`
- [ ] Serialize a `SigstoreBundle` to JSON via `SigstoreBundleSerializer`, deserialize it back, and verify round-trip fidelity
- [ ] Tamper with the inclusion proof in a bundle and verify `SigstoreBundleVerifier` returns a failed `BundleVerificationResult` with error details
- [ ] Use `AttestationBundler` to aggregate 3+ attestations into a single bundle and verify the bundle contains all attestation entries
- [ ] Sign a bundle with `KmsOrgKeySigner` and verify the org-level signature is present in the output
- [ ] Run `AttestorVerificationEngine` against a valid bundle and verify all verification checks pass
- [ ] Run `AttestorVerificationEngine` against a bundle with an invalid signature and verify it reports the specific check that failed

30
docs/features/unchecked/attestor/attestation-determinism-testing.md Normal file
View File

@@ -0,0 +1,30 @@
# Attestation Determinism Testing
## Module
Attestor
## Status
IMPLEMENTED
## Description
Golden test vectors and determinism verification tests ensuring byte-for-byte reproducibility of attestations, DSSE envelopes, and policy engine evaluations.
## Implementation Details
- **Golden Samples Tests**: `src/Attestor/__Tests/StellaOps.Attestor.Types.Tests/AttestationGoldenSamplesTests.cs` -- verifies attestations match golden test vectors byte-for-byte.
- **Attestation Determinism Tests**: `__Tests/StellaOps.Attestor.Types.Tests/Determinism/AttestationDeterminismTests.cs` -- ensures repeated attestation generation produces identical output.
- **DSSE Envelope Determinism**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Envelope/DsseEnvelopeDeterminismTests.cs` -- verifies DSSE envelope serialization is deterministic.
- **In-Toto Statement Snapshots**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/InTotoStatementSnapshotTests.cs` -- snapshot tests for in-toto statement serialization stability.
- **Canonical JSON**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` (with `.DecimalPoint`, `.NumberSerialization`, `.StringNormalization`, `.WriteMethods` partials) -- RFC 8785 canonical JSON serialization ensuring deterministic output.
- **CycloneDX Determinism**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/CycloneDxDeterminismTests.cs` -- verifies CycloneDX SBOM output is deterministic.
- **SPDX Determinism**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/SpdxDeterminismTests.cs` -- verifies SPDX SBOM output is deterministic.
- **Canonical JSON Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/JsonCanonicalizerTests.cs`, `__Tests/StellaOps.Attestor.StandardPredicates.Tests/JsonCanonicalizerTests.cs`
- **Conformance Tests**: `__Tests/StellaOps.Attestor.Conformance.Tests/` -- `VerificationParityTests.cs`, `InclusionProofParityTests.cs`, `CheckpointParityTests.cs` verify cross-implementation consistency.
## E2E Test Plan
- [ ] Generate an attestation from identical inputs twice and compare SHA-256 hashes of the serialized output to verify byte-for-byte equality
- [ ] Serialize a DSSE envelope, deserialize it, re-serialize, and verify the output bytes are identical (idempotent serialization)
- [ ] Run the RFC 8785 canonicalizer on JSON with out-of-order keys, varied whitespace, and Unicode escapes, then verify the output matches the canonical form
- [ ] Generate CycloneDX SBOM output from identical inputs on two separate runs and verify SHA-256 hash match
- [ ] Generate SPDX SBOM output from identical inputs on two separate runs and verify SHA-256 hash match
- [ ] Verify golden sample test vectors by comparing generated attestation against known-good fixtures stored in the test project
- [ ] Run conformance parity tests to verify Attestor output matches reference implementations for checkpoint parsing, inclusion proofs, and verification

30
docs/features/unchecked/attestor/attestation-timestamp-pipeline-with-time-correlation-validation.md Normal file
View File

@@ -0,0 +1,30 @@
# Attestation Timestamp Pipeline with Time Correlation Validation
## Module
Attestor
## Status
IMPLEMENTED
## Description
Integration of RFC 3161 timestamps into the attestation pipeline with TST-Rekor time correlation validation that detects anti-backdating attempts by cross-referencing TST genTime against Rekor integratedTime. Includes CycloneDx/SPDX timestamp extensions and policy-gated timestamping. No direct match in known features list.
## Implementation Details
- **Timestamp Service**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampService.cs` (with `.Helpers`, `.Timestamp`, `.Verify` partials) -- core RFC 3161 timestamp request/response pipeline.
- **Time Correlation Validator**: `TimeCorrelationValidator.cs` (with `.Async`, `.GapChecks`, `.Validate` partials) -- cross-references TST genTime against Rekor integratedTime to detect anti-backdating. `TimeCorrelationPolicy.cs` defines acceptable drift windows. `TimeCorrelationResult.cs` and `TimeCorrelationStatus.cs` capture validation outcomes. `TimeConsistencyResult.cs` aggregates cross-source consistency.
- **Timestamp Policy**: `TimestampPolicy.cs`, `TimestampPolicyEvaluator.cs`, `TimestampPolicyResult.cs` -- policy-gated timestamping determining when timestamps are required.
- **CycloneDX Timestamp Extension**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxTimestampExtension.cs` (with `.Extract` partial) -- embeds timestamp tokens into CycloneDX output.
- **SPDX Timestamp Extension**: `SpdxTimestampExtension.cs` (with `.Extract` partial) -- embeds timestamp tokens into SPDX output.
- **Rekor Receipt**: `src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/RekorReceipt.cs` -- Rekor receipt model with `integratedTime` for cross-reference.
- **TSA Multi-Provider**: `src/Attestor/__Libraries/StellaOps.Attestor.Infrastructure/Timestamping/TsaMultiProvider.cs` -- fallback chain across TSA providers.
- **Configuration**: `AttestationTimestampOptions.cs`, `AttestationTimestampServiceOptions.cs`, `AttestationTimestampVerificationOptions.cs`, `AttestationTimestampPolicyContext.cs`.
- **Tests**: `StellaOps.Attestor.Tests/Timestamping/AttestationTimestampServiceTests.cs`, `AttestationTimestampPolicyTests.cs`, `TimeCorrelationValidatorTests.cs`, `__Tests/StellaOps.Attestor.StandardPredicates.Tests/TimestampExtensionTests.cs`
## E2E Test Plan
- [ ] Timestamp an attestation via `AttestationTimestampService`, retrieve the Rekor receipt, and verify `TimeCorrelationValidator` passes when TST genTime and Rekor integratedTime are within the configured drift window
- [ ] Set a strict `TimeCorrelationPolicy` (e.g., max 5-second drift) and submit a timestamp where genTime differs from integratedTime by 10 seconds, verifying the validator returns a failure `TimeCorrelationStatus`
- [ ] Evaluate `TimestampPolicyEvaluator` with a policy requiring timestamps for production artifacts and verify it gates appropriately
- [ ] Generate a CycloneDX SBOM with `CycloneDxTimestampExtension` and verify the timestamp token is embedded in the output
- [ ] Generate an SPDX SBOM with `SpdxTimestampExtension` and verify the timestamp token is embedded in the output
- [ ] Extract timestamps from a CycloneDX document and verify the extracted `genTime` matches the original
- [ ] Test `TsaMultiProvider` fallback by simulating primary TSA timeout and verifying secondary provider is used

30
docs/features/unchecked/attestor/attestor-conformance-test-suite.md Normal file
View File

@@ -0,0 +1,30 @@
# Attestor Conformance Test Suite
## Module
Attestor
## Status
IMPLEMENTED
## Description
Conformance test suite verifying Sigstore/Rekor verification parity against reference implementations. Tests inclusion proof verification, checkpoint parsing, and signature validation against known-good test vectors.
## Implementation Details
- **Conformance Tests**: `src/Attestor/__Tests/StellaOps.Attestor.Conformance.Tests/` -- dedicated conformance test project:
- `VerificationParityTests.cs` -- verifies attestation verification produces identical results to reference implementations
- `InclusionProofParityTests.cs` -- verifies Merkle inclusion proof verification matches reference
- `CheckpointParityTests.cs` -- verifies checkpoint parsing and validation matches reference
- `ConformanceTestFixture.cs` -- shared fixture with known-good test vectors
- **Checkpoint Verification**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/CheckpointSignatureVerifier.cs` -- checkpoint signature verification against reference. Tests: `StellaOps.Attestor.Core.Tests/Verification/CheckpointSignatureVerifierTests.cs`
- **Merkle Proof Verifier**: `StellaOps.Attestor.Core/Verification/MerkleProofVerifier.cs` -- verifies Merkle inclusion proofs. Tests: `StellaOps.Attestor.Tests/MerkleProofVerifierTests.cs`
- **Rekor Receipt Verification**: `StellaOps.Attestor.Core/Rekor/RekorReceipt.cs` -- receipt model. `StellaOps.Attestor.Core/Verification/RekorOfflineReceiptVerifier.cs` -- offline receipt verification. Tests: `StellaOps.Attestor.Core.Tests/RekorOfflineReceiptVerifierTests.cs`, `StellaOps.Attestor.Core.Tests/Rekor/RekorReceiptTests.cs`
- **Checkpoint Divergence**: `StellaOps.Attestor.Core/Rekor/CheckpointDivergenceDetector.cs` -- detects split-world attacks. Tests: `StellaOps.Attestor.Core.Tests/Rekor/CheckpointDivergenceDetectorTests.cs`, `CheckpointDivergenceByzantineTests.cs`
## E2E Test Plan
- [ ] Run `VerificationParityTests` against known-good Sigstore verification test vectors and verify all pass
- [ ] Run `InclusionProofParityTests` with reference Merkle proofs and verify computed roots match expected values
- [ ] Run `CheckpointParityTests` with reference checkpoint data and verify signature validation matches expected outcomes
- [ ] Verify `CheckpointSignatureVerifier` validates a signed checkpoint against a known public key and returns success
- [ ] Verify `MerkleProofVerifier` validates an inclusion proof with correct sibling hashes and returns the correct root
- [ ] Verify `RekorOfflineReceiptVerifier` validates a receipt without network access using embedded inclusion proof
- [ ] Run `CheckpointDivergenceDetector` with two checkpoints from different Rekor instances showing divergent trees and verify detection

30
docs/features/unchecked/attestor/auditor-evidence-extraction.md Normal file
View File

@@ -0,0 +1,30 @@
# Auditor Evidence Extraction (Audit Pack / Evidence Pack)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Exportable evidence packs (audit bundles) containing RVA attestation, policy bundle, knowledge snapshot manifest, referenced evidence artifacts, and verification replay logs for auditor consumption.
## Implementation Details
- **Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- constructs complete evidence packs containing all artifacts needed for audit verification.
- **Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- serializes evidence packs to portable format.
- **Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest listing all artifacts in the pack with digests.
- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- captures the sequence of verification steps for deterministic replay.
- **Replay Log Builder**: `Services/VerificationReplayLogBuilder.cs` -- builds replay logs during verification. `ReplayLogSerializerContext.cs` -- serialization context.
- **Archive Store**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Storage/IAttestorArchiveStore.cs`, `AttestorArchiveBundle.cs` -- interface and model for archive storage. `Infrastructure/Storage/S3AttestorArchiveStore.cs`, `NullAttestorArchiveStore.cs` -- S3 and null implementations.
- **Audit Records**: `StellaOps.Attestor.Core/Audit/AttestorAuditRecord.cs` -- audit record model. `StellaOps.Attestor.Core/Storage/IAttestorAuditSink.cs` -- sink interface.
- **Tests**: `__Tests/StellaOps.Attestor.EvidencePack.Tests/ReleaseEvidencePackBuilderTests.cs`, `ReleaseEvidencePackManifestTests.cs`, `VerificationReplayLogBuilderTests.cs`
- **Integration Tests**: `__Tests/StellaOps.Attestor.EvidencePack.IntegrationTests/` -- `EvidencePackGenerationTests.cs`, `OfflineVerificationTests.cs`, `ReproducibilityTests.cs`, `TamperDetectionTests.cs`, `SlsaStrictValidationTests.cs`
## E2E Test Plan
- [ ] Build a `ReleaseEvidencePackManifest` via `ReleaseEvidencePackBuilder` with SBOM, VEX, attestation, and provenance artifacts, then verify manifest contains entries for each artifact with correct SHA-256 digests
- [ ] Serialize the evidence pack via `ReleaseEvidencePackSerializer` and verify the output can be deserialized back with all artifacts intact
- [ ] Build a `VerificationReplayLog` capturing 5+ verification steps and verify the log contains each step in order with timestamps and results
- [ ] Export the evidence pack, then replay verification using the replay log and verify identical outcomes (reproducibility)
- [ ] Tamper with an artifact in the exported pack and verify that digest verification detects the modification
- [ ] Archive an evidence pack to S3 via `S3AttestorArchiveStore` and retrieve it, verifying content integrity
- [ ] Verify the evidence pack includes all required audit artifacts (attestation chain, policy bundle, knowledge snapshot)

31
docs/features/unchecked/attestor/auditor-ready-evidence-export-packs.md Normal file
View File

@@ -0,0 +1,31 @@
# Auditor-Ready Evidence Export Packs (SBOM + VEX + Attestation + Provenance)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Full audit pack export system with verdict replay attestation, evidence bundling, and export center with timeline integration and scheduling.
## Implementation Details
- **Evidence Pack Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/ReleaseEvidencePackBuilder.cs` -- constructs export-ready evidence packs containing SBOM, VEX, attestation, and provenance artifacts.
- **Evidence Pack Manifest**: `Models/ReleaseEvidencePackManifest.cs` -- manifest with digest-verified artifact listings.
- **Evidence Pack Serializer**: `ReleaseEvidencePackSerializer.cs` -- portable serialization format.
- **Verification Replay Log**: `Models/VerificationReplayLog.cs` -- captures verification steps for replay. `Services/VerificationReplayLogBuilder.cs` -- builds replay logs.
- **Offline Kit Bundle**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/OfflineKitBundleProvider.cs` -- provides offline-ready bundles for air-gap scenarios.
- **Attestation Bundler**: `AttestationBundler.cs` -- aggregates attestations. `IBundleStore.cs` -- persistence. `BundlingOptions.cs` -- configuration.
- **Retention Policy**: `RetentionPolicyEnforcer.cs` -- enforces retention policies on exported packs.
- **Archive Storage**: `StellaOps.Attestor.Core/Storage/IAttestorArchiveStore.cs` -- archive interface. `S3AttestorArchiveStore.cs` -- S3 implementation.
- **Offline Bundle**: `StellaOps.Attestor.Core/Offline/AttestorOfflineBundle.cs`, `IAttestorBundleService.cs` -- offline bundle support.
- **Integration Tests**: `__Tests/StellaOps.Attestor.EvidencePack.IntegrationTests/` -- `EvidencePackGenerationTests.cs`, `OfflineVerificationTests.cs`, `ReproducibilityTests.cs`, `TamperDetectionTests.cs`
## E2E Test Plan
- [ ] Build a complete evidence export pack containing SBOM (CycloneDX), VEX document, DSSE-signed attestation, and SLSA provenance via `ReleaseEvidencePackBuilder`
- [ ] Serialize the pack and verify the manifest lists all four artifact types with correct SHA-256 digests
- [ ] Export an offline kit via `OfflineKitBundleProvider` and verify all required artifacts are included for air-gap verification
- [ ] Verify the replay log captures the full verification sequence and can be replayed to produce identical results
- [ ] Test retention policy enforcement by creating a pack older than the retention window and verifying `RetentionPolicyEnforcer` marks it for cleanup
- [ ] Archive a pack to S3 and retrieve it, verifying all artifacts are intact and digests match the manifest
- [ ] Tamper with a single artifact in the pack and verify integrity validation detects the modification

28
docs/features/unchecked/attestor/auto-vex-drafting-attestation.md Normal file
View File

@@ -0,0 +1,28 @@
# Auto-VEX Drafting Attestation
## Module
Attestor
## Status
IMPLEMENTED
## Description
VEX draft generation attestation types for AI-generated VEX statements with justifications, enabling lattice-aware merge preview.
## Implementation Details
- **AIVexDraftPredicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/AI/AIVexDraftPredicate.cs` -- extends `AIArtifactBasePredicate` with VEX-specific draft fields.
- **AIVexStatementDraft**: `AIVexStatementDraft.cs` -- individual VEX statement draft with status, justification, and product/vulnerability references.
- **AIVexJustification**: `AIVexJustification.cs` -- AI-generated justification for VEX status decisions.
- **Classifier Integration**: `AIAuthorityClassifier.VexDraft.cs` and `AIAuthorityClassifier.VexDraftScore.cs` -- classifies VEX drafts into Suggestion/EvidenceBacked/AuthorityThreshold.
- **Statement**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/AIVexDraftStatement.cs` -- wraps VEX draft as in-toto statement.
- **VEX Predicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/VexPredicate.cs` -- base VEX predicate. `VexAttestationPredicate.cs` -- VEX attestation predicate.
- **VEX Override System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/VexOverride/` -- `VexOverridePredicateBuilder.cs` (with `.Build`, `.Serialize`, `.WithMethods`), `VexOverridePredicateParser.cs` (with multiple partials) for building and parsing VEX overrides.
- **VEX Proof Integration**: `__Libraries/StellaOps.Attestor.ProofChain/Generators/VexProofIntegrator.cs` (with `.Helpers`, `.Metadata`) and `VexVerdictProofPayload.cs` -- integrates VEX drafts into the proof chain.
## E2E Test Plan
- [ ] Create an `AIVexDraftPredicate` with multiple `AIVexStatementDraft` entries (not_affected, affected, under_investigation) and verify JSON serialization preserves all fields
- [ ] Create a VEX draft with `AIVexJustification` containing evidence citations and classify via `AIAuthorityClassifier.VexDraft`, verifying EvidenceBacked authority when citations are sufficient
- [ ] Wrap the VEX draft in `AIVexDraftStatement` and verify it produces a valid in-toto statement with correct predicate type
- [ ] Build a `VexOverridePredicate` from an AI-generated draft via `VexOverridePredicateBuilder` and verify the override captures the draft's justification
- [ ] Parse a serialized VEX override via `VexOverridePredicateParser` and verify all fields round-trip correctly
- [ ] Integrate a VEX draft into the proof chain via `VexProofIntegrator` and verify the proof payload contains the draft evidence

34
docs/features/unchecked/attestor/backport-proof-service.md Normal file
View File

@@ -0,0 +1,34 @@
# Backport Proof Service
## Module
Attestor
## Status
IMPLEMENTED
## Description
BackportProof library in Concelier and multi-tier BackportProofGenerator in Attestor with confidence scoring, evidence combining, and tier-based proof generation (Tier 1 through 4 plus signature variants).
## Implementation Details
- **BackportProofGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.cs` -- orchestrates multi-tier backport proof generation. Partials:
- `BackportProofGenerator.Tier1.cs` -- Tier 1: exact version match proofs
- `BackportProofGenerator.Tier2.cs` -- Tier 2: advisory-level evidence
- `BackportProofGenerator.Tier3.cs` -- Tier 3: heuristic/pattern matching
- `BackportProofGenerator.Tier3Signature.cs` -- Tier 3 signature variant with binary signature comparison
- `BackportProofGenerator.Tier4.cs` -- Tier 4: lowest confidence, inference-based
- `BackportProofGenerator.Confidence.cs` -- confidence scoring across tiers using proof-strength hierarchy
- `BackportProofGenerator.CombineEvidence.cs` -- evidence aggregation from multiple tiers
- `BackportProofGenerator.Status.cs` -- status tracking for proof generation progress
- `BackportProofGenerator.VulnerableUnknown.cs` -- handling of unknown vulnerability status
- **Evidence Summary**: `EvidenceSummary.cs` -- aggregated evidence output from proof generation.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`
## E2E Test Plan
- [ ] Generate a Tier 1 proof for a package with exact version match in advisory data and verify high confidence score (>= 0.9)
- [ ] Generate a Tier 2 proof using advisory-level evidence (CVE matches package family) and verify moderate confidence score
- [ ] Generate a Tier 3 proof using binary signature comparison and verify it includes signature match details
- [ ] Generate a Tier 4 inference-based proof and verify it has the lowest confidence score among all tiers
- [ ] Combine evidence from Tier 1 and Tier 2 via `CombineEvidence` and verify the combined confidence is higher than either individual tier
- [ ] Generate a proof for a package with `VulnerableUnknown` status and verify the generator handles it with appropriate uncertainty indicators
- [ ] Verify `EvidenceSummary` output contains entries from all applicable tiers with per-tier confidence scores
- [ ] Generate proofs for the same package twice and verify deterministic output (same confidence scores and evidence)

31
docs/features/unchecked/attestor/binary-diff-predicate-dsse-attestation-for-patch-detection.md Normal file
View File

@@ -0,0 +1,31 @@
# Binary Diff Predicate / DSSE Attestation for Patch Detection
## Module
Attestor
## Status
IMPLEMENTED
## Description
Complete BinaryDiff predicate implementation with DSSE signing/verification, schema validation, normalization, and serialization for patch detection attestations.
## Implementation Details
- **BinaryDiff Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build` partial) -- implements `IBinaryDiffPredicateBuilder` to construct binary diff predicates from diff findings.
- **BinaryDiff Predicate Serializer**: `BinaryDiffPredicateSerializer.cs` (with `.Normalize` partial) -- implements `IBinaryDiffPredicateSerializer` for deterministic serialization with normalization.
- **DSSE Signing**: `BinaryDiffDsseSigner.cs` -- signs binary diff predicates as DSSE envelopes.
- **DSSE Verification**: `BinaryDiffDsseVerifier.cs` (with `.Helpers` partial) -- implements `IBinaryDiffDsseVerifier` for verifying signed binary diff attestations.
- **Schema Validation**: `BinaryDiffSchema.cs` (with `.SchemaJson` partial) -- JSON schema for binary diff predicates. `BinaryDiffSchemaValidationResult.cs` -- validation result model.
- **Models**: `BinaryDiffModels.cs` -- core diff models. `BinaryDiffSectionModels.cs` -- section-level diff models (ELF/PE sections). `BinaryDiffFinding.cs` -- individual diff finding. `BinaryDiffOptions.cs` -- configuration.
- **Metadata**: `BinaryDiffMetadataBuilder.cs` -- builds metadata for diff predicates.
- **DI Registration**: `ServiceCollectionExtensions.cs` -- registers all BinaryDiff services.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- `BinaryDiffPredicateBuilderTests.cs`, `BinaryDiffPredicateSerializerTests.cs`, `BinaryDiffDsseSignerTests.cs`, `BinaryDiffSchemaValidationTests.cs`
## E2E Test Plan
- [ ] Build a binary diff predicate from a set of `BinaryDiffFinding` entries via `BinaryDiffPredicateBuilder` and verify the predicate contains all findings
- [ ] Serialize the predicate via `BinaryDiffPredicateSerializer` and verify normalization produces deterministic output (serialize twice, compare bytes)
- [ ] Sign the serialized predicate via `BinaryDiffDsseSigner` and verify the DSSE envelope is well-formed
- [ ] Verify the signed envelope via `BinaryDiffDsseVerifier` and confirm verification passes
- [ ] Tamper with the signed envelope payload and verify `BinaryDiffDsseVerifier` returns failure
- [ ] Validate a predicate against the JSON schema via `BinaryDiffSchema` and verify it passes
- [ ] Create a predicate with section-level diffs (`BinaryDiffSectionModels`) for ELF `.text` and `.rodata` sections and verify section details are preserved
- [ ] Create a predicate missing required fields and verify schema validation catches the error

32
docs/features/unchecked/attestor/binary-diff-with-deterministic-signatures.md Normal file
View File

@@ -0,0 +1,32 @@
# Binary Diff with Deterministic Signatures
## Module
Attestor
## Status
IMPLEMENTED
## Description
Binary diff analysis with DSSE-signed evidence output is implemented. The system compares binaries, produces deterministic diff signatures, serializes predicates, and integrates with VEX evidence linking. While the advisory specifically mentions B2R2 IR lifting, the implemented approach uses binary section-level diffing with DSSE attestation.
## Implementation Details
- **BinaryDiff Predicate System**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/` -- full predicate lifecycle:
- `BinaryDiffPredicateBuilder.cs` (with `.Build`) -- constructs predicates from diff findings
- `BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- deterministic serialization via normalization
- `BinaryDiffDsseSigner.cs` -- DSSE envelope signing for deterministic signatures
- `BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- signature verification
- `BinaryDiffSectionModels.cs` -- section-level diff models for ELF/PE binaries
- **Evidence Integration**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers` partial) -- generates fingerprint evidence from binary analysis.
- **Binary Identity**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs` -- binary identity model. `BinaryVulnMatchInfo.cs` -- vulnerability match details.
- **Binary Fingerprint Predicate**: `BinaryFingerprintEvidencePredicate.cs` -- predicate for fingerprint evidence.
- **VEX Integration**: `VexProofIntegrator.cs` links binary diff evidence to VEX decisions.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- builder, serializer, signer, schema validation tests
## E2E Test Plan
- [ ] Perform a binary diff between two versions of a binary and produce a `BinaryDiffPredicateBuilder` output with section-level changes
- [ ] Serialize the diff predicate via `BinaryDiffPredicateSerializer.Normalize` and verify byte-for-byte determinism across two invocations
- [ ] Sign the normalized predicate via `BinaryDiffDsseSigner` and verify the DSSE envelope signature is valid
- [ ] Verify the signed diff evidence via `BinaryDiffDsseVerifier` and confirm integrity
- [ ] Generate binary fingerprint evidence via `BinaryFingerprintEvidenceGenerator` from a binary with known vulnerability matches and verify `BinaryVulnMatchInfo` is populated
- [ ] Link binary diff evidence to a VEX decision via `VexProofIntegrator` and verify the proof chain includes the diff artifact
- [ ] Create diff findings for both ELF and PE section types and verify `BinaryDiffSectionModels` handles both formats

29
docs/features/unchecked/attestor/binary-fingerprint-evidence-for-reachability-proofs.md Normal file
View File

@@ -0,0 +1,29 @@
# Binary Fingerprint Evidence for Reachability Proofs
## Module
Attestor
## Status
IMPLEMENTED
## Description
Binary fingerprint evidence generation with identity info, vulnerability match info, and micro-witness binary references provides cryptographic evidence for binary reachability claims.
## Implementation Details
- **BinaryFingerprintEvidenceGenerator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers` partial) -- generates attestable fingerprint evidence segments from binary vulnerability findings.
- **BinaryFingerprintEvidencePredicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryFingerprintEvidencePredicate.cs` -- predicate type for binary fingerprint evidence in proof bundles.
- **BinaryIdentityInfo**: `Predicates/BinaryIdentityInfo.cs` -- captures binary identity (path, hash, format, architecture).
- **BinaryVulnMatchInfo**: `Predicates/BinaryVulnMatchInfo.cs` -- vulnerability match details linking binary to CVE.
- **Micro-Witness Models**: `MicroWitnessBinaryRef.cs` -- binary reference within micro-witness. `MicroWitnessCveRef.cs` -- CVE reference. `MicroWitnessFunctionEvidence.cs` -- function-level evidence. `MicroWitnessSbomRef.cs` -- SBOM cross-reference. `MicroWitnessTooling.cs` -- analysis tool info. `MicroWitnessVerdicts.cs` -- micro-witness verdicts.
- **Binary Micro-Witness Predicate**: `BinaryMicroWitnessPredicate.cs` -- complete micro-witness predicate combining binary evidence with reachability data.
- **Statement**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/BinaryMicroWitnessStatement.cs` -- in-toto statement wrapper.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`
## E2E Test Plan
- [ ] Generate binary fingerprint evidence via `BinaryFingerprintEvidenceGenerator` for a binary with known vulnerabilities and verify the output contains `BinaryIdentityInfo` with correct hash and format
- [ ] Verify `BinaryVulnMatchInfo` correctly links a binary identity to a specific CVE with match confidence
- [ ] Create a `BinaryMicroWitnessPredicate` with `MicroWitnessBinaryRef`, `MicroWitnessCveRef`, and `MicroWitnessFunctionEvidence` and verify all cross-references are populated
- [ ] Verify `MicroWitnessSbomRef` correctly links the binary evidence to an SBOM component entry
- [ ] Wrap the micro-witness predicate in `BinaryMicroWitnessStatement` and verify it produces a valid in-toto statement
- [ ] Generate evidence for a binary with no vulnerability matches and verify the generator produces an empty/clean evidence set
- [ ] Verify `MicroWitnessTooling` captures the analysis tool name and version used to generate the evidence

28
docs/features/unchecked/attestor/binary-fingerprint-evidence-generation.md Normal file
View File

@@ -0,0 +1,28 @@
# Binary Fingerprint Evidence Generation
## Module
Attestor
## Status
IMPLEMENTED
## Description
Extensive binary fingerprinting with disassembly, delta signatures, fingerprint indexing, and attestable proof generation covering ELF/PE analysis.
## Implementation Details
- **Evidence Generator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers` partial) -- generates attestable proof segments from binary fingerprint analysis. Produces `BinaryFingerprintEvidencePredicate` payloads.
- **Binary Identity**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs` -- binary identity (path, hash, format: ELF/PE/Mach-O, architecture).
- **Vulnerability Matching**: `BinaryVulnMatchInfo.cs` -- links binary identity to CVE matches with confidence.
- **Micro-Witness Evidence**: `MicroWitnessBinaryRef.cs`, `MicroWitnessFunctionEvidence.cs` -- function-level evidence linking fingerprints to reachability. `MicroWitnessTooling.cs` -- tool metadata.
- **Binary Diff Integration**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/` -- `BinaryDiffPredicateBuilder.cs`, `BinaryDiffSectionModels.cs` handle section-level diffing for delta signature computation.
- **Content-Addressed Storage**: fingerprint evidence is content-addressed via `ContentAddressedIdGenerator` from `__Libraries/StellaOps.Attestor.ProofChain/Identifiers/`.
- **Note**: Actual binary disassembly and fingerprint indexing lives in `src/BinaryIndex/` module; Attestor provides the attestation layer wrapping those results.
## E2E Test Plan
- [ ] Generate fingerprint evidence from a binary analysis result containing ELF section hashes and verify `BinaryFingerprintEvidencePredicate` captures all section fingerprints
- [ ] Generate fingerprint evidence from PE binary analysis and verify format-specific sections (.text, .rdata, .rsrc) are represented
- [ ] Verify the evidence generator produces content-addressed IDs for each fingerprint evidence artifact
- [ ] Create delta signatures by running the generator on two binary versions and verify the diff captures added/removed/changed sections
- [ ] Verify `MicroWitnessFunctionEvidence` links specific functions to their fingerprint evidence
- [ ] Run the generator twice on identical inputs and verify deterministic output (same evidence IDs)
- [ ] Verify the generated evidence can be embedded in a DSSE-signed attestation via the proof chain signing infrastructure

28
docs/features/unchecked/attestor/binary-fingerprinting.md Normal file
View File

@@ -0,0 +1,28 @@
# Binary Fingerprinting (TLSH + Instruction Hashing)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Binary fingerprinting infrastructure with two methods: Simplified TLSH (locality-sensitive hashing) and Instruction Hash (normalized instruction sequence hashing). Both are proof-of-concept implementations noted as needing production-grade library integration. BinaryFingerprintEvidenceGenerator creates attestable proof segments from binary vulnerability findings.
## Implementation Details
- **Evidence Generator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- attestation layer for binary fingerprint evidence. Creates `BinaryFingerprintEvidencePredicate` payloads from fingerprint analysis results.
- **Fingerprint Evidence Predicate**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryFingerprintEvidencePredicate.cs` -- wraps fingerprint data (TLSH hash, instruction hash) as attestable predicate.
- **Binary Identity**: `BinaryIdentityInfo.cs` -- captures binary metadata (path, SHA-256 hash, format, architecture).
- **Micro-Witness Integration**: `MicroWitnessBinaryRef.cs` -- references specific binary in micro-witness evidence. `MicroWitnessFunctionEvidence.cs` -- function-level fingerprint evidence.
- **Note**: The actual TLSH and instruction hashing algorithms live in `src/BinaryIndex/` (the binary analysis module). The Attestor module provides the attestation wrapper and proof-chain integration.
- **Content Addressing**: Fingerprint evidence is stored with content-addressed IDs via `ContentAddressedIdGenerator`.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`
## E2E Test Plan
- [ ] Generate a `BinaryFingerprintEvidencePredicate` from TLSH hash results and verify the predicate contains the locality-sensitive hash
- [ ] Generate a predicate from instruction hash results and verify the normalized instruction sequence hash is captured
- [ ] Verify `BinaryIdentityInfo` correctly captures binary format (ELF/PE/Mach-O) and architecture
- [ ] Create micro-witness evidence linking a fingerprint to a specific function via `MicroWitnessFunctionEvidence` and verify the reference chain
- [ ] Verify content-addressed IDs are generated deterministically for identical fingerprint evidence
- [ ] Wrap fingerprint evidence in a DSSE-signed attestation and verify the signed envelope contains the correct predicate type
- [ ] Generate fingerprint evidence for two versions of the same binary and verify the TLSH hashes differ but remain within expected similarity range

29
docs/features/unchecked/attestor/binary-level-sca-and-provenance.md Normal file
View File

@@ -0,0 +1,29 @@
# Binary-Level SCA and Provenance
## Module
Attestor
## Status
IMPLEMENTED
## Description
Binary fingerprint evidence generation, binary identity and vulnerability matching info, and native binary hardening analysis for PE, ELF, and Mach-O formats.
## Implementation Details
- **Binary Fingerprint Evidence**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- generates attestable evidence from binary SCA results.
- **Binary Identity**: `__Libraries/StellaOps.Attestor.ProofChain/Predicates/BinaryIdentityInfo.cs` -- captures binary identity: file path, SHA-256 digest, binary format (PE/ELF/Mach-O), architecture, and version info.
- **Vulnerability Matching**: `BinaryVulnMatchInfo.cs` -- links binary identity to CVE matches with match type and confidence score.
- **Binary Fingerprint Predicate**: `BinaryFingerprintEvidencePredicate.cs` -- attestable predicate wrapping binary SCA results.
- **Micro-Witness Evidence**: `MicroWitnessBinaryRef.cs`, `MicroWitnessCveRef.cs`, `MicroWitnessFunctionEvidence.cs`, `MicroWitnessSbomRef.cs` -- fine-grained evidence linking binary analysis to SBOM components and CVEs.
- **Binary Diff for Provenance**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffSectionModels.cs` -- section-level diff models for PE (.text, .rdata) and ELF (.text, .rodata) sections.
- **SLSA Provenance Integration**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Parsers/SlsaProvenancePredicateParser.cs` -- parses SLSA provenance predicates that include build materials (binaries).
- **Note**: Actual binary hardening analysis (DEP, ASLR, stack canaries, etc.) lives in `src/Scanner/` and `src/BinaryIndex/`.
## E2E Test Plan
- [ ] Generate binary SCA evidence for a PE binary and verify `BinaryIdentityInfo` captures format as PE with correct architecture
- [ ] Generate evidence for an ELF binary and verify format detection
- [ ] Create `BinaryVulnMatchInfo` linking a binary identity to a CVE and verify match details (CVE ID, confidence, match type)
- [ ] Create micro-witness evidence with `MicroWitnessSbomRef` linking binary analysis results to SBOM component entries
- [ ] Generate a binary diff between two binary versions and verify section-level changes are captured in `BinaryDiffSectionModels`
- [ ] Verify binary fingerprint evidence integrates with SLSA provenance by including binary digests in build materials
- [ ] Sign binary SCA evidence as a DSSE attestation and verify the signature covers the complete `BinaryFingerprintEvidencePredicate`

33
docs/features/unchecked/attestor/binary-reachability-proofs-binary-diff-analysis.md Normal file
View File

@@ -0,0 +1,33 @@
# Binary Reachability Proofs / Binary Diff Analysis
## Module
Attestor
## Status
IMPLEMENTED
## Description
Full binary diff analysis pipeline with schema validation, DSSE-verified predicates, normalization, and fingerprint evidence generation.
## Implementation Details
- **BinaryDiff Pipeline**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/` -- complete pipeline:
- `IBinaryDiffPredicateBuilder.cs` / `BinaryDiffPredicateBuilder.cs` (with `.Build`) -- constructs diff predicates
- `IBinaryDiffPredicateSerializer.cs` / `BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- deterministic serialization
- `IBinaryDiffDsseVerifier.cs` / `BinaryDiffDsseVerifier.cs` (with `.Helpers`) -- DSSE verification
- `BinaryDiffDsseSigner.cs` -- DSSE signing
- `BinaryDiffSchema.cs` (with `.SchemaJson`) -- JSON schema validation
- `BinaryDiffSectionModels.cs` -- section-level models (ELF/PE)
- `BinaryDiffFinding.cs` -- individual findings
- `BinaryDiffMetadataBuilder.cs` -- metadata construction
- **Fingerprint Evidence**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BinaryFingerprintEvidenceGenerator.cs` (with `.Helpers`) -- generates reachability-aware fingerprint evidence.
- **Reachability Integration**: Binary diff evidence feeds into `ReachabilityWitnessPayload` (statements) and `BinaryMicroWitnessPredicate` (predicates) for reachability proof chains.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- builder, serializer, signer, schema validation tests. `__Tests/StellaOps.Attestor.ProofChain.Tests/BinaryMicroWitnessPredicateTests.cs`
## E2E Test Plan
- [ ] Run the full binary diff pipeline: build predicate from findings, normalize/serialize, sign with DSSE, verify signature, validate against schema
- [ ] Create diff findings for a patched vulnerability (binary changed in .text section) and verify the predicate captures the patch as a security-relevant change
- [ ] Normalize the same diff predicate twice and verify byte-for-byte output equality
- [ ] Validate a well-formed predicate against `BinaryDiffSchema` and verify it passes
- [ ] Validate a predicate missing required fields and verify schema validation fails with specific error
- [ ] Generate fingerprint evidence from a binary diff result and verify it links to the diff attestation
- [ ] Feed binary diff evidence into a `BinaryMicroWitnessPredicate` and verify the reachability proof chain includes the diff evidence

29
docs/features/unchecked/attestor/binarydiff-binary-sca-attestation.md Normal file
View File

@@ -0,0 +1,29 @@
# BinaryDiff/Binary SCA Attestation
## Module
Attestor
## Status
IMPLEMENTED
## Description
Binary diff predicate builder with DSSE signing/verification, section-level diff models, schema validation, and integration with evidence bundle exporter.
## Implementation Details
- **Predicate Builder**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffPredicateBuilder.cs` (with `.Build`) -- constructs binary diff predicates from `BinaryDiffFinding` entries.
- **DSSE Signing/Verification**: `BinaryDiffDsseSigner.cs` signs predicates. `BinaryDiffDsseVerifier.cs` (with `.Helpers`) verifies signed envelopes.
- **Serialization**: `BinaryDiffPredicateSerializer.cs` (with `.Normalize`) -- deterministic normalization and serialization.
- **Schema Validation**: `BinaryDiffSchema.cs` (with `.SchemaJson`) -- embedded JSON schema. `BinaryDiffSchemaValidationResult.cs` -- validation output.
- **Section Models**: `BinaryDiffSectionModels.cs` -- ELF/PE section-level diff models. `BinaryDiffModels.cs` -- core models.
- **Evidence Bundle Integration**: Evidence packs (`src/Attestor/__Libraries/StellaOps.Attestor.EvidencePack/`) include binary diff attestations in export bundles. `ReleaseEvidencePackBuilder.cs` aggregates binary SCA evidence.
- **DI**: `ServiceCollectionExtensions.cs` -- registers builder, serializer, signer, verifier.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/BinaryDiff/` -- `BinaryDiffPredicateBuilderTests.cs`, `BinaryDiffPredicateSerializerTests.cs`, `BinaryDiffDsseSignerTests.cs`, `BinaryDiffSchemaValidationTests.cs`, `BinaryDiffTestData.cs`
## E2E Test Plan
- [ ] Build a predicate from `BinaryDiffFinding` entries representing patched and unpatched sections, sign it, and verify the DSSE envelope
- [ ] Validate the predicate against `BinaryDiffSchema` and verify it passes
- [ ] Include the signed binary diff attestation in a `ReleaseEvidencePackBuilder` export and verify it appears in the evidence pack manifest
- [ ] Serialize the predicate, modify a finding, re-serialize, and verify the normalized output differs
- [ ] Create findings with ELF section changes (.text, .plt, .got) and verify `BinaryDiffSectionModels` captures each section
- [ ] Verify DI registration via `ServiceCollectionExtensions` resolves all binary diff services correctly
- [ ] Tamper with the DSSE envelope and verify `BinaryDiffDsseVerifier` rejects it

34
docs/features/unchecked/attestor/build-attestation-mapping.md Normal file
View File

@@ -0,0 +1,34 @@
# Build Attestation Mapping (SPDX 3.0.1 Build Profile)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Build attestation mapping to/from SPDX 3.0.1 is implemented with bidirectional mappers, build material, metadata, and invocation models.
## Implementation Details
- **BuildAttestationMapper**: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` -- orchestrates bidirectional mapping. `IBuildAttestationMapper.cs` -- interface.
- `BuildAttestationMapper.MapToSpdx3.cs` -- maps internal build attestation to SPDX 3.0.1 build profile format
- `BuildAttestationMapper.MapFromSpdx3.cs` -- maps SPDX 3.0.1 build profile to internal format
- **Build Attestation Payload**: `BuildAttestationPayload.cs` -- internal build attestation model.
- **Build Material**: `BuildMaterial.cs` -- input materials (source code, dependencies, config files) with digests.
- **Build Metadata**: `BuildMetadata.cs` -- build timestamp, build ID, reproducibility info.
- **Build Invocation**: `BuildInvocation.cs` -- build command, parameters, environment.
- **Builder Info**: `BuilderInfo.cs` -- builder identity (CI system, version).
- **Config Source**: `ConfigSource.cs` -- build configuration source references.
- **Build Relationships**: `BuildRelationshipBuilder.cs` (with `.Linking` partial) -- builds SPDX 3.0.1 relationships between build elements.
- **DSSE Signing**: `DsseSpdx3Signer.cs` (with `.SignBuildProfile` partial) -- signs build profiles as DSSE envelopes.
- **Combined Document**: `CombinedDocumentBuilder.cs` (with `.Build`, `.Attestation`, `.Profiles` partials) -- builds combined SPDX documents with build attestation profiles.
- **Tests**: `__Libraries/__Tests/StellaOps.Attestor.Spdx3.Tests/BuildAttestationMapperTests.cs`, `BuildProfileValidatorTests.cs`, `CombinedDocumentBuilderTests.cs`
## E2E Test Plan
- [ ] Create a `BuildAttestationPayload` with materials, metadata, and invocation, map to SPDX 3.0.1 via `MapToSpdx3`, and verify the output contains correct build profile elements
- [ ] Map an SPDX 3.0.1 document with build profile back to internal format via `MapFromSpdx3` and verify round-trip fidelity
- [ ] Create build materials with SHA-256 digests and verify they appear as SPDX 3.0.1 build inputs with correct hash references
- [ ] Create `BuildInvocation` with build command and parameters and verify they map to SPDX 3.0.1 build invocation fields
- [ ] Use `BuildRelationshipBuilder` to link build elements and verify SPDX relationships are correctly typed
- [ ] Sign a build profile via `DsseSpdx3Signer.SignBuildProfile` and verify the DSSE envelope is valid
- [ ] Build a combined SPDX document with SBOM + build attestation profile via `CombinedDocumentBuilder` and verify both profiles are present

30
docs/features/unchecked/attestor/call-stack-reachability-analysis.md Normal file
View File

@@ -0,0 +1,30 @@
# Call-Stack Reachability Analysis
## Module
Attestor
## Status
IMPLEMENTED
## Description
Multi-language call-stack reachability analysis with symbol matching and canonicalization supporting .NET, Java, native (ELF), and scripting languages, plus benchmarking infrastructure with ground-truth validation.
## Implementation Details
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path` partial) -- captures call-stack paths from entry points to vulnerable functions.
- **Witness Call Path Node**: `Statements/WitnessCallPathNode.cs` -- individual node in a call-stack path with function name, module, and language.
- **Witness Path Node**: `Statements/WitnessPathNode.cs` -- simplified path node for witness evidence.
- **Witness Evidence Metadata**: `Statements/WitnessEvidenceMetadata.cs` -- metadata about the analysis tool and language used.
- **Witness Gate Info**: `Statements/WitnessGateInfo.cs` -- gate configuration for policy evaluation of reachability evidence.
- **Reachability Witness Statement**: `Statements/ReachabilityWitnessStatement.cs` -- wraps payload as in-toto statement.
- **Path Witness Predicate Types**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs` -- predicate type URIs for different path witness types.
- **Micro-Witness Function Evidence**: `Predicates/MicroWitnessFunctionEvidence.cs` -- function-level evidence from call-stack analysis.
- **Note**: Actual call-graph analysis and symbol matching lives in `src/ReachGraph/` and `src/Scanner/`; Attestor provides the attestation wrapper.
## E2E Test Plan
- [ ] Create a `ReachabilityWitnessPayload` with a call-stack path containing 5 nodes (entry -> intermediate -> intermediate -> intermediate -> vulnerable function) and verify all nodes are captured
- [ ] Create `WitnessCallPathNode` entries with .NET namespaced symbols and verify symbol canonicalization preserves full type qualification
- [ ] Create path nodes with Java package-style symbols and verify correct representation
- [ ] Create `WitnessEvidenceMetadata` specifying the analysis tool and language, wrap in statement, and verify metadata persists
- [ ] Verify `WitnessGateInfo` correctly captures policy gate thresholds for reachability evidence
- [ ] Create `MicroWitnessFunctionEvidence` linking a specific function to call-stack evidence and verify the reference chain
- [ ] Wrap a reachability witness in an in-toto statement and verify the predicate type matches `PathWitnessPredicateTypes`

29
docs/features/unchecked/attestor/canonical-graph-signature-deterministic-verdicts.md Normal file
View File

@@ -0,0 +1,29 @@
# Canonical Graph Signature (CGS) / Deterministic Verdicts
## Module
Attestor
## Status
IMPLEMENTED
## Description
Deterministic Merkle tree builder, content-addressed IDs, and canonical JSON serialization produce same-inputs-same-output verdicts with verifiable digests.
## Implementation Details
- **Deterministic Merkle Tree**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Merkle/DeterministicMerkleTreeBuilder.cs` (with `.Helpers`, `.Proof` partials) -- implements `IMerkleTreeBuilder`. Builds Merkle trees with deterministic leaf ordering for canonical graph signatures.
- **Merkle Proof**: `MerkleProof.cs`, `MerkleProofStep.cs` -- inclusion proof model. `MerkleTreeWithProofs.cs` -- tree with generated proofs.
- **Content-Addressed IDs**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` (with `.Graph` partial) -- generates deterministic SHA-256 IDs from content. Types: `ArtifactId.cs`, `EvidenceId.cs`, `ProofBundleId.cs`, `VexVerdictId.cs`, `ReasoningId.cs`, `GraphRevisionId.cs`.
- **Canonical JSON**: `__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` (with `.DecimalPoint`, `.NumberSerialization`, `.StringNormalization`, `.WriteMethods`) -- RFC 8785 JCS ensuring deterministic serialization.
- **Verdict Receipt**: `Statements/VerdictReceiptPayload.cs`, `VerdictReceiptStatement.cs` -- verdict receipts with deterministic content.
- **Verdict Decision**: `Statements/VerdictDecision.cs`, `VerdictInputs.cs`, `VerdictOutputs.cs` -- verdict computation model.
- **Proof Hashing**: `__Libraries/StellaOps.Attestor.ProofChain/ProofHashing.cs` -- SHA-256 hashing utilities.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/MerkleTreeBuilderTests.cs`, `ContentAddressedIdTests.cs`, `ContentAddressedIdGeneratorTests.cs`, `JsonCanonicalizerTests.cs`
## E2E Test Plan
- [ ] Build a Merkle tree from 10 evidence items via `DeterministicMerkleTreeBuilder` and verify the root hash is deterministic (build twice, compare roots)
- [ ] Generate an inclusion proof for a specific leaf and verify `MerkleProof` validates against the root
- [ ] Generate `ContentAddressedId` for identical content twice and verify IDs match
- [ ] Generate IDs for different content and verify they differ
- [ ] Canonicalize a JSON object with out-of-order keys via `Rfc8785JsonCanonicalizer` and verify key ordering matches RFC 8785
- [ ] Create a `VerdictReceiptPayload` from identical inputs twice and verify the serialized output is byte-for-byte identical
- [ ] Build a `GraphRevisionId` from a proof graph state and verify it changes when graph content changes

34
docs/features/unchecked/attestor/canonicalization-and-content-addressing.md Normal file
View File

@@ -0,0 +1,34 @@
# Canonicalization and Content Addressing
## Module
Attestor
## Status
IMPLEMENTED
## Description
RFC 8785 JSON canonicalization, deterministic Merkle tree building, and content-addressed ID generation for all proof chain artifacts ensuring stable hashing.
## Implementation Details
- **RFC 8785 Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` -- implements `IJsonCanonicalizer`. Partials:
- `.DecimalPoint` -- decimal point handling per RFC 8785
- `.NumberSerialization` -- IEEE 754 number serialization
- `.StringNormalization` -- Unicode escape and string normalization
- `.WriteMethods` -- low-level write operations
- **SBOM Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs` (with `.Elements`) -- implements `ISbomCanonicalizer` for deterministic SBOM element ordering.
- **Content-Addressed ID Generator**: `__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` (with `.Graph`) -- `IContentAddressedIdGenerator` implementation. Generates SHA-256 content-addressed IDs.
- **ID Types**: `ContentAddressedId.cs` (base), `GenericContentAddressedId.cs`, `ArtifactId.cs`, `EvidenceId.cs`, `ProofBundleId.cs`, `VexVerdictId.cs`, `ReasoningId.cs`, `SbomEntryId.cs`, `TrustAnchorId.cs`, `GraphRevisionId.cs`.
- **SHA-256 Parser**: `Sha256IdParser.cs` -- parses `sha256:<hex>` formatted IDs.
- **Proof Hashing**: `ProofHashing.cs` -- utility methods for proof chain hashing.
- **Merkle Tree**: `Merkle/DeterministicMerkleTreeBuilder.cs` (with `.Helpers`, `.Proof`) -- deterministic tree construction.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/JsonCanonicalizerTests.cs`, `ContentAddressedIdTests.cs`, `ContentAddressedIdGeneratorTests.cs`, `MerkleTreeBuilderTests.cs`
## E2E Test Plan
- [ ] Canonicalize JSON with out-of-order keys and verify output has keys in lexicographic order per RFC 8785
- [ ] Canonicalize JSON with Unicode escapes (e.g., `\u00e9`) and verify normalization to UTF-8
- [ ] Canonicalize JSON with floating-point numbers and verify IEEE 754 serialization
- [ ] Generate a content-addressed ID for a proof blob and verify it matches `sha256:<64-hex-chars>` format
- [ ] Verify `Sha256IdParser` correctly parses valid IDs and rejects malformed ones
- [ ] Canonicalize an SBOM document via `SbomCanonicalizer` and verify element ordering is deterministic
- [ ] Build a Merkle tree from canonicalized artifacts and verify the root hash is stable across invocations
- [ ] Generate `SbomEntryId` for identical SBOM component content and verify ID equality

29
docs/features/unchecked/attestor/checkpoint-signature-verification.md Normal file
View File

@@ -0,0 +1,29 @@
# Checkpoint Signature Verification
## Module
Attestor
## Status
IMPLEMENTED
## Description
Checkpoint divergence detection and alert publishing for Rekor transparency log verification.
## Implementation Details
- **Checkpoint Signature Verifier**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Verification/CheckpointSignatureVerifier.cs` -- verifies cryptographic signatures on Rekor checkpoints against known public keys.
- **Checkpoint Divergence Detector**: `StellaOps.Attestor.Core/Rekor/CheckpointDivergenceDetector.cs` -- implements `ICheckpointDivergenceDetector`. Detects split-world attacks by comparing checkpoints from multiple Rekor instances.
- **Alert Publisher**: `Rekor/CheckpointDivergenceAlertPublisher.cs` -- publishes alerts when checkpoint divergence is detected.
- **Rekor Checkpoint Store**: `IRekorCheckpointStore.cs` -- interface for storing and retrieving checkpoints. `StellaOps.Attestor.Storage/Rekor/PostgresRekorCheckpointStore.cs` -- PostgreSQL implementation.
- **Rekor Backend**: `Rekor/RekorBackend.cs` -- backend configuration. `IRekorBackendResolver.cs` -- resolves backend instances. `Infrastructure/Rekor/RekorBackendResolver.cs`, `ServiceMapAwareRekorBackendResolver.cs` -- implementations.
- **Rekor Sync**: `Rekor/RekorSyncBackgroundService.cs` -- background service for checkpoint synchronization.
- **Time Skew Validation**: `Verification/TimeSkewValidator.cs`, `InstrumentedTimeSkewValidator.cs` -- validates time consistency between checkpoints.
- **Tests**: `StellaOps.Attestor.Core.Tests/Verification/CheckpointSignatureVerifierTests.cs`, `StellaOps.Attestor.Core.Tests/Rekor/CheckpointDivergenceDetectorTests.cs`, `CheckpointDivergenceByzantineTests.cs`, `__Tests/StellaOps.Attestor.Conformance.Tests/CheckpointParityTests.cs`
## E2E Test Plan
- [ ] Verify a checkpoint signature against a known Rekor public key via `CheckpointSignatureVerifier` and confirm success
- [ ] Verify a checkpoint with an invalid signature and confirm the verifier rejects it
- [ ] Feed two consistent checkpoints (same tree) to `CheckpointDivergenceDetector` and verify no divergence is detected
- [ ] Feed two divergent checkpoints (different roots for same tree size) and verify divergence is detected and alert is published via `CheckpointDivergenceAlertPublisher`
- [ ] Store checkpoints via `PostgresRekorCheckpointStore` and retrieve them, verifying data integrity
- [ ] Verify `TimeSkewValidator` detects unacceptable time skew between checkpoint timestamps
- [ ] Run `RekorSyncBackgroundService` and verify it periodically fetches and stores new checkpoints

32
docs/features/unchecked/attestor/confidence-scoring-for-backport-detection.md Normal file
View File

@@ -0,0 +1,32 @@
# Confidence Scoring for Backport Detection
## Module
Attestor
## Status
IMPLEMENTED
## Description
Quantifiable confidence scoring (0.0-0.98) for backport detection. Uses highest individual tier confidence as base, adds multi-source bonus (0.05 for 2 sources, 0.08 for 3, 0.10 for 4+), capped at 0.98. Per-tier confidence values: DistroAdvisory=0.98, VersionComparison=0.95, BuildCatalog=0.90, PatchHeader=0.85, ChangelogMention=0.80, BinaryFingerprint=0.70.
## Implementation Details
- **BackportProofGenerator.Confidence**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Generators/BackportProofGenerator.Confidence.cs` -- computes confidence scores using tier-based hierarchy with multi-source bonuses.
- **Tier Implementations**: Each tier has specific confidence values:
- `BackportProofGenerator.Tier1.cs` -- DistroAdvisory (0.98) and VersionComparison (0.95)
- `BackportProofGenerator.Tier2.cs` -- BuildCatalog (0.90) and PatchHeader (0.85)
- `BackportProofGenerator.Tier3.cs` -- ChangelogMention (0.80)
- `BackportProofGenerator.Tier3Signature.cs` -- Binary signature variant
- `BackportProofGenerator.Tier4.cs` -- BinaryFingerprint (0.70) and inference
- **Evidence Combining**: `BackportProofGenerator.CombineEvidence.cs` -- aggregates evidence from multiple tiers, applying multi-source bonus (2 sources: +0.05, 3: +0.08, 4+: +0.10), capped at 0.98.
- **Evidence Summary**: `EvidenceSummary.cs` -- aggregated output with per-tier confidence breakdown.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/BackportProofGeneratorTests.cs`
## E2E Test Plan
- [ ] Generate a Tier 1 proof with DistroAdvisory evidence and verify confidence score is 0.98
- [ ] Generate a Tier 2 proof with BuildCatalog evidence and verify confidence score is 0.90
- [ ] Generate a Tier 3 proof with ChangelogMention and verify confidence score is 0.80
- [ ] Generate a Tier 4 proof with BinaryFingerprint and verify confidence score is 0.70
- [ ] Combine evidence from 2 sources (Tier 1 + Tier 3) and verify multi-source bonus of 0.05 is applied
- [ ] Combine evidence from 3 sources and verify bonus of 0.08 is applied
- [ ] Combine evidence from 4+ sources and verify bonus of 0.10 is applied, with final score capped at 0.98
- [ ] Verify `EvidenceSummary` contains per-tier breakdown showing individual and combined confidence scores

36
docs/features/unchecked/attestor/content-addressed-identifiers.md Normal file
View File

@@ -0,0 +1,36 @@
# Content-Addressed Identifiers (ArtifactId, EvidenceId, ProofBundleId)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Full content-addressed ID system with types for ArtifactId, EvidenceId, ReasoningId, VexVerdictId, ProofBundleId, plus a content-addressed ID generator and SHA256 parser.
## Implementation Details
- **ID Generator**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.cs` (with `.Graph` partial) -- implements `IContentAddressedIdGenerator`. Generates SHA-256 content-addressed IDs from canonical JSON content.
- **Base Types**: `ContentAddressedId.cs` -- base record type. `GenericContentAddressedId.cs` -- generic typed variant.
- **Typed ID Records**:
- `ArtifactId.cs` -- identifies attestation artifacts
- `EvidenceId.cs` -- identifies evidence items
- `ProofBundleId.cs` -- identifies proof bundles
- `VexVerdictId.cs` -- identifies VEX verdicts
- `ReasoningId.cs` -- identifies reasoning chains
- `SbomEntryId.cs` -- identifies SBOM entries
- `TrustAnchorId.cs` -- identifies trust anchors
- `GraphRevisionId.cs` -- identifies graph revision state
- **SHA-256 Parser**: `Sha256IdParser.cs` -- parses and validates `sha256:<64-hex-chars>` format.
- **Proof Hashing**: `__Libraries/StellaOps.Attestor.ProofChain/ProofHashing.cs` -- SHA-256 hashing utilities.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdTests.cs`, `ContentAddressedIdGeneratorTests.cs`
## E2E Test Plan
- [ ] Generate an `ArtifactId` from content via `ContentAddressedIdGenerator` and verify the output matches `sha256:<64-hex-chars>` format
- [ ] Generate IDs for identical content twice and verify they are equal
- [ ] Generate IDs for different content and verify they differ
- [ ] Parse a valid `sha256:abc123...` string via `Sha256IdParser` and verify successful parsing
- [ ] Attempt to parse an invalid ID (wrong prefix, wrong length) and verify parser rejects it
- [ ] Generate `EvidenceId`, `ProofBundleId`, `VexVerdictId`, `ReasoningId` for same content and verify they produce the same hash but are distinct types
- [ ] Generate a `GraphRevisionId` from a proof graph state, modify the graph, regenerate, and verify the ID changes
- [ ] Verify `SbomEntryId` produces deterministic IDs for identical SBOM component content

27
docs/features/unchecked/attestor/content-addressed-ids-for-sbom-components.md Normal file
View File

@@ -0,0 +1,27 @@
# Content-Addressed IDs for SBOM Components (bom-ref)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Content-addressed ID generator with SBOM entry IDs and CycloneDX subject extraction for deterministic component referencing.
## Implementation Details
- **SbomEntryId**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/SbomEntryId.cs` -- content-addressed ID type for SBOM entries, ensuring deterministic bom-ref values.
- **Content-Addressed ID Generator**: `ContentAddressedIdGenerator.cs` -- generates SHA-256 based IDs from canonical SBOM component content.
- **CycloneDX Subject Extractor**: `__Libraries/StellaOps.Attestor.ProofChain/Sbom/CycloneDxSubjectExtractor.cs` -- implements `ISbomSubjectExtractor`. Extracts subjects from CycloneDX SBOM for attestation.
- **Component Ref Extractor**: `__Libraries/StellaOps.Attestor.ProofChain/Linking/ComponentRefExtractor.cs` (with `.Resolution`, `.Spdx` partials) -- extracts component references from SBOMs for cross-linking. `SbomExtractionResult.cs` -- extraction result model.
- **SBOM Canonicalization**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs` (with `.Elements`) -- deterministic element ordering for stable ID generation.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdTests.cs`, `ContentAddressedIdGeneratorTests.cs`
## E2E Test Plan
- [ ] Generate `SbomEntryId` for a CycloneDX component with name, version, and PURL and verify deterministic ID
- [ ] Generate IDs for two components with same content but different field ordering and verify IDs match (canonicalization)
- [ ] Extract subjects from a CycloneDX SBOM via `CycloneDxSubjectExtractor` and verify each component has a content-addressed subject ID
- [ ] Extract component references via `ComponentRefExtractor` and verify bom-ref values are content-addressed
- [ ] Extract SPDX component references via `ComponentRefExtractor.Spdx` and verify deterministic SPDX IDs
- [ ] Canonicalize an SBOM via `SbomCanonicalizer`, generate content-addressed IDs, and verify stability across invocations
- [ ] Modify a single component field and verify the `SbomEntryId` changes

31
docs/features/unchecked/attestor/content-addressed-node-and-edge-identifiers.md Normal file
View File

@@ -0,0 +1,31 @@
# Content-Addressed Node and Edge Identifiers
## Module
Attestor
## Status
IMPLEMENTED
## Description
Content-addressed NodeId and EdgeId records with graph-aware ID generation, addressing the advisory's EdgeId gap.
## Implementation Details
- **Graph-Aware ID Generation**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Identifiers/ContentAddressedIdGenerator.Graph.cs` -- extends `ContentAddressedIdGenerator` with graph-specific ID generation for nodes and edges.
- **Proof Graph Node**: `__Libraries/StellaOps.Attestor.ProofChain/Graph/ProofGraphNode.cs` -- node record with content-addressed ID, type (`ProofGraphNodeType`), and payload.
- **Proof Graph Edge**: `Graph/ProofGraphEdge.cs` -- edge record with content-addressed ID, source/target node references, and type (`ProofGraphEdgeType`).
- **Node Types**: `ProofGraphNodeType.cs` -- enum: Evidence, Verdict, Policy, Artifact, etc.
- **Edge Types**: `ProofGraphEdgeType.cs` -- enum: DependsOn, Supersedes, Aggregates, Produces, etc.
- **Graph Path**: `ProofGraphPath.cs` -- path through the graph for traversal.
- **Subgraph**: `ProofGraphSubgraph.cs` -- extracted subgraph with nodes and edges.
- **Graph Revision**: `Identifiers/GraphRevisionId.cs` -- content-addressed ID for the entire graph state.
- **Graph Service**: `Graph/InMemoryProofGraphService.cs` (with `.Mutation`, `.Queries`, `.Subgraph`) -- implements `IProofGraphService` with content-addressed node/edge management.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdGeneratorTests.cs`
## E2E Test Plan
- [ ] Create a `ProofGraphNode` and verify its content-addressed ID is generated from node content via `ContentAddressedIdGenerator.Graph`
- [ ] Create a `ProofGraphEdge` between two nodes and verify its edge ID is computed from source, target, and edge type
- [ ] Add identical node content twice via `InMemoryProofGraphService` and verify deduplication (same node ID)
- [ ] Add an edge between two nodes and verify the edge ID is deterministic
- [ ] Modify node payload and verify the node ID changes
- [ ] Compute `GraphRevisionId` for a graph state, add a node, recompute, and verify the revision ID changes
- [ ] Extract a subgraph via `InMemoryProofGraphService.Subgraph` and verify all node/edge IDs in the subgraph are content-addressed

31
docs/features/unchecked/attestor/cross-attestation-chain-linking.md Normal file
View File

@@ -0,0 +1,31 @@
# Cross-Attestation Chain Linking (SBOM->VEX->Policy)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Cross-attestation linking via in-toto layout references with link types (DependsOn/Supersedes/Aggregates), DAG validation with cycle detection, chain query API (GET /attestations?chain=true, upstream/downstream traversal with depth limit), and chain visualization endpoint supporting Mermaid/DOT/JSON formats.
## Implementation Details
- **Attestation Chain Builder**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Chain/AttestationChainBuilder.cs` -- builds attestation chains from link references.
- **Attestation Chain Validator**: `Chain/AttestationChainValidator.cs` -- validates chain integrity including DAG validation and cycle detection.
- **Attestation Link**: `Chain/AttestationLink.cs` -- represents a link between two attestations with link type.
- **Attestation Link Resolver**: `Chain/AttestationLinkResolver.cs` -- implements `IAttestationLinkResolver`. Resolves upstream/downstream links with depth limits.
- **In-Memory Link Store**: `Chain/InMemoryAttestationLinkStore.cs` -- in-memory storage for attestation links.
- **Chain Model**: `Chain/AttestationChain.cs` -- full chain model for traversal.
- **In-Toto Materials**: `Chain/InTotoStatementMaterials.cs` -- material references in in-toto statements for cross-linking.
- **Chain Query Service**: `StellaOps.Attestor.WebService/Services/ChainQueryService.cs`, `IChainQueryService.cs` -- API service for chain queries.
- **Chain API**: `WebService/Controllers/ChainController.cs` -- REST endpoints for chain traversal and visualization. `WebService/Models/ChainApiModels.cs` -- API models.
- **Tests**: `StellaOps.Attestor.Core.Tests/Chain/AttestationChainBuilderTests.cs`, `AttestationChainValidatorTests.cs`, `AttestationLinkResolverTests.cs`, `ChainResolverDirectionalTests.cs`, `InMemoryAttestationLinkStoreTests.cs`
## E2E Test Plan
- [ ] Build an attestation chain SBOM -> VEX -> Policy via `AttestationChainBuilder` with DependsOn links and verify the chain connects all three
- [ ] Validate the chain via `AttestationChainValidator` and verify DAG validation passes (no cycles)
- [ ] Create a circular chain (A -> B -> C -> A) and verify `AttestationChainValidator` detects the cycle
- [ ] Resolve upstream links from a Policy attestation via `AttestationLinkResolver` with depth limit 2 and verify VEX and SBOM are returned
- [ ] Resolve downstream links from an SBOM attestation and verify VEX and Policy are returned
- [ ] Query chain via `ChainController` GET endpoint with `chain=true` and verify the response contains the full chain
- [ ] Request chain visualization in Mermaid format and verify valid Mermaid diagram output

29
docs/features/unchecked/attestor/cryptographic-proof-generation.md Normal file
View File

@@ -0,0 +1,29 @@
# Cryptographic Proof Generation (SHA-256 hashing)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Cryptographic proof generation using canonical JSON serialization and SHA-256 hashing. ProofBlobs are tamper-evident with computed hashes that can be verified. Note: The codebase uses SHA-256 through CanonJson utilities. The advisory mentioned BLAKE3-256 as well; the DB schema references BLAKE3-256 in comments but actual code uses SHA-256 via CanonJson.
## Implementation Details
- **Proof Hashing**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/ProofHashing.cs` -- SHA-256 hashing utilities for proof chain artifacts.
- **Proof Blob**: `__Libraries/StellaOps.Attestor.ProofChain/Models/ProofBlob.cs` -- tamper-evident proof container with computed SHA-256 hash.
- **Canonical JSON**: `__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` (with `.DecimalPoint`, `.NumberSerialization`, `.StringNormalization`, `.WriteMethods`) -- RFC 8785 canonicalization ensuring deterministic JSON for stable hashing.
- **Content-Addressed IDs**: `Identifiers/ContentAddressedIdGenerator.cs` -- generates SHA-256 IDs from canonical content.
- **Merkle Tree**: `Merkle/DeterministicMerkleTreeBuilder.cs` (with `.Helpers`, `.Proof`) -- Merkle tree construction using SHA-256 for proof aggregation. `MerkleProof.cs`, `MerkleProofStep.cs` -- inclusion proofs.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) -- signs proof blobs in DSSE envelopes. `DssePreAuthenticationEncoding.cs` -- PAE for DSSE.
- **Canonical JSON Serializer (Core)**: `StellaOps.Attestor.Core/Serialization/CanonicalJsonSerializer.cs` -- alternative canonical serializer in core.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/JsonCanonicalizerTests.cs`, `MerkleTreeBuilderTests.cs`, `Signing/ProofChainSignerTests.cs`, `StellaOps.Attestor.Core.Tests/Serialization/CanonicalJsonSerializerTests.cs`
## E2E Test Plan
- [ ] Create a `ProofBlob` from JSON content, compute its SHA-256 hash via `ProofHashing`, and verify the hash matches manual SHA-256 computation of the canonical JSON
- [ ] Modify the proof blob content and verify the hash changes
- [ ] Canonicalize identical JSON with different formatting via `Rfc8785JsonCanonicalizer`, hash both, and verify hashes match
- [ ] Build a Merkle tree from 8 proof blobs and verify the root hash is deterministic
- [ ] Generate an inclusion proof for a specific blob and verify it validates against the root
- [ ] Sign a proof blob via `ProofChainSigner` and verify the DSSE envelope contains the correct hash
- [ ] Verify a signed proof blob via `ProofChainSigner.Verification` and confirm integrity

33
docs/features/unchecked/attestor/cvss-v4-0-cyclonedx-1-7-slsa-v1-2-scanner-convergence.md Normal file
View File

@@ -0,0 +1,33 @@
# CVSS v4.0 + CycloneDX 1.7 + SLSA v1.2 Scanner Convergence
## Module
Attestor
## Status
IMPLEMENTED
## Description
Scanner stack supports CVSS v4.0 scoring, CycloneDX output (with crypto metadata), and SLSA provenance predicate types. The Signer module includes statement builder for SLSA provenance and integration tests.
## Implementation Details
- **CycloneDX Writer**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs` -- comprehensive CycloneDX writer with 40+ partial files covering all elements:
- `.Components`, `.Services`, `.Vulnerabilities` -- core SBOM elements
- `.Crypto`, `.CryptoCertificates`, `.CryptoMaterial` -- crypto metadata support
- `.Attestation Maps`, `.Claims`, `.Declarations` -- attestation elements
- `.Formulation`, `.Evidence` -- build provenance and evidence
- `.Validation` -- output validation
- **CycloneDX Parser**: `Parsers/CycloneDxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`, `.SerialNumber`) -- parses CycloneDX predicates.
- **SLSA Provenance Parser**: `Parsers/SlsaProvenancePredicateParser.cs` (with `.ExtractMetadata`, `.Validation`) -- parses SLSA v1.x provenance predicates.
- **SLSA Schema Validator**: `Validation/SlsaSchemaValidator.cs` (with `.BuildDefinition`, `.Helpers`, `.Level`, `.RunDetails`) -- validates SLSA provenance against schema.
- **SPDX 3.0.1 Build Attestation**: `src/Attestor/__Libraries/StellaOps.Attestor.Spdx3/BuildAttestationMapper.cs` -- maps build attestation to SPDX 3.0.1.
- **Standard Predicate Registry**: `StandardPredicateRegistry.cs` -- registers all supported predicate types including SLSA.
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/` -- CycloneDX, SPDX, and SLSA tests. `Parsers/SlsaProvenancePredicateParserTests.cs`, `Validation/SlsaSchemaValidatorTests.cs`
## E2E Test Plan
- [ ] Write a CycloneDX SBOM with crypto metadata (algorithm properties, key material) and verify crypto elements are correctly serialized
- [ ] Parse a CycloneDX SBOM with vulnerabilities containing CVSS v4.0 scores and verify score extraction
- [ ] Parse an SLSA provenance predicate and verify build definition, run details, and materials are extracted
- [ ] Validate an SLSA provenance predicate against `SlsaSchemaValidator` and verify it passes for a well-formed predicate
- [ ] Validate an SLSA predicate missing required fields and verify schema validation reports specific errors
- [ ] Map an SLSA provenance to SPDX 3.0.1 build attestation via `BuildAttestationMapper` and verify the mapping preserves build materials
- [ ] Verify `StandardPredicateRegistry` returns correct parsers for CycloneDX, SPDX, and SLSA predicate types

41
docs/features/unchecked/attestor/cyclonedx-1-6-and-spdx-3-0-1-full-sbom-support.md Normal file
View File

@@ -0,0 +1,41 @@
# CycloneDX 1.6 and SPDX 3.0.1 Full SBOM Support (Parsers, Writers, Attestation)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Comprehensive CycloneDX 1.6 and SPDX 3.0.1 parsers and writers supporting all major SBOM elements: components, services, vulnerabilities, crypto, attestation maps, declarations, evidence, formulation, and more. Includes predicate parsers with metadata extraction and validation, SPDX 3.0 build attestation mappers, and CycloneDX VEX normalizer. 40+ partial class files for CycloneDX alone.
## Implementation Details
- **CycloneDX Writer**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Writers/CycloneDxWriter.cs` -- 40+ partial files:
- Core: `.Convert`, `.Validation`, `.Metadata`, `.SerialNumber`
- Components: `.Components`, `.Dependencies`, `.Pedigree`, `.Swid`
- Services: `.Services`
- Vulnerabilities: `.Vulnerabilities`
- Crypto: `.Crypto`, `.CryptoCertificates`, `.CryptoMaterial`
- Attestation: `.AttestationMaps`, `.Claims`, `.Declarations`, `.DeclarationTargets`, `.Definitions`
- Evidence: `.Evidence`, `.EvidenceOccurrences`
- Formulation: `.Formulation`, `.InputsOutputs`, `.Tasks`
- Compliance: `.Compositions`, `.Considerations`, `.Environmental`
- DTOs: `.DtoBom`, `.DtoComponent`, `.DtoService`, `.DtoVulnerability`, `.DtoCrypto`, etc.
- **SPDX Writer**: `SpdxWriter.cs` -- 50+ partial files covering all SPDX 3.0.1 profiles: `.Packages`, `.FileElement`, `.Snippets`, `.Relationships`, `.Licensing`, `.Vulnerabilities`, `.Builds`, `.Assessments`, `.AiPackage`, `.DatasetPackage`, `.Agents`, `.Signatures`, etc.
- **CycloneDX Parser**: `Parsers/CycloneDxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`, `.SerialNumber`)
- **SPDX Parser**: `Parsers/SpdxPredicateParser.cs` (with `.ExtractMetadata`, `.ExtractSbom`, `.Validation`)
- **SBOM Models**: `Models/` -- 106 model files: `SbomComponent`, `SbomService`, `SbomVulnerability`, `SbomDocument`, etc.
- **SBOM Canonicalizer**: `Canonicalization/SbomCanonicalizer.cs` (with `.Elements`)
- **License Expression Parser**: `Licensing/SpdxLicenseExpressionParser.cs` (with partials)
- **Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/` -- 25+ test files including CycloneDx/SpdxDeterminismTests, SchemaValidationTests, ParserTests, WriterProfileTests
## E2E Test Plan
- [ ] Write a CycloneDX 1.6 SBOM with components, services, and vulnerabilities via `CycloneDxWriter.Convert` and verify all elements are present in the output
- [ ] Write an SPDX 3.0.1 document with packages, files, snippets, and relationships via `SpdxWriter.Convert` and verify all profiles are populated
- [ ] Parse a CycloneDX SBOM via `CycloneDxPredicateParser` and verify metadata extraction (serial number, version, timestamp)
- [ ] Parse an SPDX SBOM via `SpdxPredicateParser` and verify package extraction with licensing info
- [ ] Write a CycloneDX SBOM with crypto properties and verify crypto algorithm and certificate elements
- [ ] Write an SPDX document with AI/ML profiles (AiPackage, DatasetPackage) and verify profile elements
- [ ] Round-trip test: write CycloneDX -> parse -> write again and verify deterministic output
- [ ] Round-trip test: write SPDX -> parse -> write again and verify deterministic output
- [ ] Verify license expression parsing for complex SPDX expressions (e.g., `(MIT OR Apache-2.0) AND BSD-3-Clause`)

32
docs/features/unchecked/attestor/delta-verdict-and-change-trace-system.md Normal file
View File

@@ -0,0 +1,32 @@
# Delta Verdict and Change Trace System
## Module
Attestor
## Status
IMPLEMENTED
## Description
Full delta computation engine with verdict predicates, change trace entries, budget tracking, VEX delta computation, attestation service, and smart diff with trust indicators. Frontend delta-verdict service and models consume the API. Delta-first comparison shows what changed since last trusted point.
## Implementation Details
- **Delta Verdict Predicate**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Predicates/DeltaVerdictPredicate.cs` (with `.Budget` partial) -- predicate for delta verdict attestations with budget impact tracking.
- **Delta Models**: `DeltaVerdictChange.cs` -- individual change entry. `DeltaFindingKey.cs` -- unique finding identifier for delta tracking. `VerdictDeltaSummary.cs` -- summary of all changes. `VerdictFindingChange.cs` -- per-finding change details. `VerdictRuleChange.cs` -- policy rule changes.
- **Change Trace Service**: `__Libraries/StellaOps.Attestor.ProofChain/ChangeTrace/ChangeTraceAttestationService.cs` (with `.Helpers`, `.Mapping`) -- implements `IChangeTraceAttestationService`. Produces change trace attestations.
- **Change Trace Predicate**: `Predicates/ChangeTracePredicate.cs`, `ChangeTracePredicateSummary.cs`, `ChangeTraceDeltaEntry.cs` -- change trace predicate models.
- **VEX Delta**: `Predicates/VexDeltaPredicate.cs`, `VexDeltaChange.cs`, `VexDeltaStatement.cs`, `VexDeltaSummary.cs` -- VEX-specific delta tracking.
- **SBOM Delta**: `Predicates/SbomDeltaPredicate.cs`, `SbomDeltaComponent.cs`, `SbomDeltaSummary.cs`, `SbomDeltaVersionChange.cs` -- SBOM diff tracking.
- **Statements**: `Statements/DeltaVerdictStatement.cs`, `ChangeTraceStatement.cs` -- in-toto statement wrappers.
- **Trust Delta**: `Predicates/TrustDeltaRecord.cs` -- trust score change tracking.
- **Delta Attestation Service (Core)**: `StellaOps.Attestor.Core/Delta/DeltaAttestationService.cs`, `IDeltaAttestationService.cs`
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Statements/DeltaVerdictStatementTests.cs`, `ChangeTrace/ChangeTracePredicateTests.cs`, `StellaOps.Attestor.Core.Tests/Delta/DeltaAttestationServiceTests.cs`
## E2E Test Plan
- [ ] Generate a delta verdict between two snapshots with added, removed, and changed findings and verify `DeltaVerdictPredicate` categorizes each correctly
- [ ] Verify `VerdictDeltaSummary` counts (added, removed, changed, unchanged) match the actual changes
- [ ] Generate a change trace via `ChangeTraceAttestationService` and verify `ChangeTraceDeltaEntry` entries capture timestamps and change types
- [ ] Compute a VEX delta between two VEX documents and verify `VexDeltaSummary` tracks status changes
- [ ] Compute an SBOM delta between two SBOMs and verify `SbomDeltaComponent` captures added/removed/changed components
- [ ] Verify budget impact tracking in `DeltaVerdictPredicate.Budget` by adding findings that exceed budget thresholds
- [ ] Verify `TrustDeltaRecord` captures trust score changes between snapshots
- [ ] Wrap delta verdict in `DeltaVerdictStatement` and verify valid in-toto statement output

30
docs/features/unchecked/attestor/deterministic-evidence-graph-with-hash-addressed-nodes.md Normal file
View File

@@ -0,0 +1,30 @@
# Deterministic Evidence Graph with Hash-Addressed Nodes
## Module
Attestor
## Status
IMPLEMENTED
## Description
Content-addressed proof graph with typed nodes/edges, subgraph extraction, mutation operations, and content-addressed ID generation for all identifiers (ArtifactId, EvidenceId, ProofBundleId, VexVerdictId, etc.).
## Implementation Details
- **Proof Graph Service**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Graph/InMemoryProofGraphService.cs` -- implements `IProofGraphService` with partials:
- `.Mutation` -- add/remove nodes and edges
- `.Queries` -- query nodes by type, find paths, get neighbors
- `.Subgraph` -- extract subgraphs rooted at a specific node
- **Graph Models**: `ProofGraphNode.cs` (typed via `ProofGraphNodeType`), `ProofGraphEdge.cs` (typed via `ProofGraphEdgeType`), `ProofGraphPath.cs`, `ProofGraphSubgraph.cs`
- **Content-Addressed IDs**: `Identifiers/ContentAddressedIdGenerator.cs` (with `.Graph`) -- generates deterministic node/edge IDs from content. Types: `ArtifactId`, `EvidenceId`, `ProofBundleId`, `VexVerdictId`, `ReasoningId`, `GraphRevisionId`, `TrustAnchorId`, `SbomEntryId`.
- **Graph Root Attestation**: `src/Attestor/__Libraries/StellaOps.Attestor.GraphRoot/` -- `GraphRootAttestor.cs` (implements `IGraphRootAttestor`), `Sha256MerkleRootComputer.cs` (implements `IMerkleRootComputer`). Models: `GraphRootAttestation.cs`, `GraphRootPredicate.cs`, `GraphRootResults.cs`.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ContentAddressedIdGeneratorTests.cs`, `__Tests/StellaOps.Attestor.GraphRoot.Tests/GraphRootAttestorTests.cs`, `Sha256MerkleRootComputerTests.cs`
## E2E Test Plan
- [ ] Add 5 nodes of different types (Evidence, Verdict, Policy, Artifact) to `InMemoryProofGraphService` and verify each gets a unique content-addressed ID
- [ ] Add edges between nodes and verify edge IDs are deterministic based on source, target, and type
- [ ] Query nodes by type and verify correct filtering
- [ ] Find a path between two nodes via graph queries and verify `ProofGraphPath` contains the correct sequence
- [ ] Extract a subgraph rooted at an evidence node and verify it contains only reachable nodes and edges
- [ ] Remove a node via mutation and verify all connected edges are also removed
- [ ] Compute graph root attestation via `GraphRootAttestor` and verify `GraphRootPredicate` contains the Merkle root of all node IDs
- [ ] Add identical content as a node twice and verify deduplication (same content-addressed ID)

32
docs/features/unchecked/attestor/deterministic-sbom-canonicalization.md Normal file
View File

@@ -0,0 +1,32 @@
# Deterministic SBOM Canonicalization (RFC 8785 JCS)
## Module
Attestor
## Status
IMPLEMENTED
## Description
Deterministic SBOM canonicalization using full RFC 8785 JSON Canonicalization Scheme with decimal point handling, number serialization, string normalization, and reproducible transforms between SPDX and CycloneDX. Verified by property-based determinism tests.
## Implementation Details
- **SBOM Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.StandardPredicates/Canonicalization/SbomCanonicalizer.cs` (with `.Elements` partial) -- implements `ISbomCanonicalizer`. Orders SBOM elements deterministically for stable hashing.
- **RFC 8785 Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` -- implements `IJsonCanonicalizer` with partials:
- `.DecimalPoint` -- handles decimal point normalization
- `.NumberSerialization` -- IEEE 754 number serialization per RFC 8785
- `.StringNormalization` -- Unicode and string escape normalization
- `.WriteMethods` -- low-level write methods
- **JSON Canonicalizer (StandardPredicates)**: `__Libraries/StellaOps.Attestor.StandardPredicates/JsonCanonicalizer.cs` -- additional canonicalizer for standard predicates.
- **JSON Canonicalizer (TrustVerdict)**: `__Libraries/StellaOps.Attestor.TrustVerdict/JsonCanonicalizer.cs` -- canonicalizer for trust verdict payloads.
- **CycloneDX Determinism Tests**: `__Tests/StellaOps.Attestor.StandardPredicates.Tests/CycloneDxDeterminismTests.cs`
- **SPDX Determinism Tests**: `SpdxDeterminismTests.cs`
- **JSON Canonicalizer Tests**: `JsonCanonicalizerTests.cs` (in both ProofChain and StandardPredicates test projects)
## E2E Test Plan
- [ ] Canonicalize a CycloneDX SBOM via `SbomCanonicalizer`, hash the output, canonicalize again, and verify identical hashes
- [ ] Canonicalize an SPDX SBOM, hash, re-canonicalize, and verify identical hashes
- [ ] Apply `Rfc8785JsonCanonicalizer` to JSON with unordered keys and verify key order matches RFC 8785 (lexicographic)
- [ ] Canonicalize JSON with floating-point edge cases (e.g., 1.0, -0.0, 1e10) and verify IEEE 754 normalization
- [ ] Canonicalize JSON with Unicode escapes and verify normalization to shortest UTF-8 representation
- [ ] Create two SBOMs with identical content but different component ordering, canonicalize both, and verify identical output
- [ ] Verify CycloneDX and SPDX round-trip: parse -> write -> canonicalize produces stable output

30
docs/features/unchecked/attestor/deterministic-verdict-serialization.md Normal file
View File

@@ -0,0 +1,30 @@
# Deterministic verdict serialization (canonical JSON / JCS)
## Module
Attestor
## Status
IMPLEMENTED
## Description
RFC 8785 (JCS) canonical JSON serializer ensures deterministic, byte-stable verdict serialization for reproducible signing.
## Implementation Details
- **RFC 8785 Canonicalizer**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs` -- full RFC 8785 implementation with partials for decimal, number, string, and write operations.
- **Verdict Receipt Payload**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/VerdictReceiptPayload.cs` -- verdict payload serialized canonically for signing.
- **Verdict Decision**: `Statements/VerdictDecision.cs`, `VerdictInputs.cs`, `VerdictOutputs.cs` -- verdict computation components serialized deterministically.
- **Verdict Summary**: `Predicates/VerdictSummary.cs` -- summary predicate for verdict output.
- **Proof Chain Signer**: `Signing/ProofChainSigner.cs` -- signs canonical verdict payloads.
- **DSSE Canonicalizer**: `StellaOps.Attestor.Core/Submission/IDsseCanonicalizer.cs`, `Infrastructure/Submission/DefaultDsseCanonicalizer.cs` -- canonicalizes DSSE payloads before signing.
- **Canonical JSON Serializer (Core)**: `StellaOps.Attestor.Core/Serialization/CanonicalJsonSerializer.cs` -- core canonical JSON serializer.
- **Verdict Ledger**: `__Libraries/StellaOps.Attestor.VerdictLedger/VerdictLedgerEntry.cs`, `VerdictLedgerService.cs` -- ledger entries use canonical serialization.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/JsonCanonicalizerTests.cs`, `__Tests/StellaOps.Attestor.Tests/VerdictLedgerHashTests.cs`, `StellaOps.Attestor.Core.Tests/Serialization/CanonicalJsonSerializerTests.cs`
## E2E Test Plan
- [ ] Serialize a `VerdictReceiptPayload` to canonical JSON and verify key ordering matches RFC 8785
- [ ] Serialize the same verdict twice and verify byte-for-byte equality
- [ ] Sign a canonical verdict via `ProofChainSigner` and verify the signature covers the canonical bytes
- [ ] Verify a signed verdict: re-canonicalize the payload and confirm the hash matches the signed hash
- [ ] Serialize a verdict with various data types (strings, numbers, booleans, nulls, arrays, objects) and verify each type follows RFC 8785 rules
- [ ] Store a verdict in `VerdictLedgerService` and verify the ledger hash matches the canonical hash
- [ ] Canonicalize via `DefaultDsseCanonicalizer` and verify it produces identical output to `Rfc8785JsonCanonicalizer`

33
docs/features/unchecked/attestor/dsse-attestation-bundling-and-batch-publishing-to-rekor.md Normal file
View File

@@ -0,0 +1,33 @@
# DSSE Attestation Bundling and Batch Publishing to Rekor
## Module
Attestor
## Status
IMPLEMENTED
## Description
Attestation bundling with configurable options, aggregation abstraction, and Rekor submission queue with retry worker and sync background service.
## Implementation Details
- **Attestation Bundler**: `src/Attestor/__Libraries/StellaOps.Attestor.Bundling/Services/AttestationBundler.cs` -- implements `IAttestationBundler`. Aggregates multiple DSSE-signed attestations into bundles.
- **Bundle Aggregator**: `Abstractions/IBundleAggregator.cs` -- interface for aggregating attestation bundles.
- **Bundle Store**: `Abstractions/IBundleStore.cs` -- persistence interface. `Models/AttestationBundle.cs` -- bundle model.
- **Bundling Options**: `Configuration/BundlingOptions.cs` -- configurable batch size, timeout, and bundling strategy.
- **Rekor Submission Queue**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Queue/IRekorSubmissionQueue.cs` -- queue interface. `RekorQueueItem.cs`, `RekorSubmissionStatus.cs`, `QueueDepthSnapshot.cs` -- queue models.
- **PostgreSQL Queue**: `StellaOps.Attestor.Infrastructure/Queue/PostgresRekorSubmissionQueue.cs` -- durable PostgreSQL-backed queue with SKIP LOCKED.
- **Retry Worker**: `Infrastructure/Workers/RekorRetryWorker.cs` -- retries failed Rekor submissions.
- **Rekor Sync Service**: `StellaOps.Attestor.Core/Rekor/RekorSyncBackgroundService.cs` -- background service for batch Rekor publication.
- **Rekor Client**: `Infrastructure/Rekor/HttpRekorClient.cs`, `ResilientRekorClient.cs` -- HTTP client with resilience. `IRekorClient.cs` -- interface.
- **Verdict Rekor Publisher**: `__Libraries/StellaOps.Attestor.Infrastructure/Rekor/VerdictRekorPublisher.cs` -- publishes verdict attestations to Rekor.
- **Tests**: `StellaOps.Attestor.Tests/RekorSubmissionQueueTests.cs`, `RekorRetryWorkerTests.cs`, `HttpRekorClientTests.cs`, `__Tests/StellaOps.Attestor.Bundling.Tests/AttestationBundlerTests.cs`, `BundleAggregatorTests.cs`
## E2E Test Plan
- [ ] Bundle 5 DSSE-signed attestations via `AttestationBundler` with a batch size of 5 and verify a single bundle is produced
- [ ] Configure bundling with a batch size of 3 and submit 5 attestations, verifying 2 bundles are produced
- [ ] Enqueue attestations to `PostgresRekorSubmissionQueue` and verify they are stored with `Pending` status
- [ ] Process the queue and verify successful submissions are marked as `Completed`
- [ ] Simulate a Rekor submission failure and verify `RekorRetryWorker` retries the failed item
- [ ] Verify `QueueDepthSnapshot` reports correct counts of pending, processing, and completed items
- [ ] Publish a verdict attestation via `VerdictRekorPublisher` and verify the Rekor receipt is stored
- [ ] Test `ResilientRekorClient` circuit breaker by simulating repeated failures and verifying the circuit opens

34
docs/features/unchecked/attestor/dsse-envelope-signing-for-attestations.md Normal file
View File

@@ -0,0 +1,34 @@
# DSSE Envelope Signing for Attestations
## Module
Attestor
## Status
IMPLEMENTED
## Description
DSSE envelope creation, signing, verification, and serialization are fully implemented across multiple Attestor libraries. The advisory proposed DSSE signing as part of a batch sweep experiment; the signing infrastructure is production-ready.
## Implementation Details
- **Envelope Library**: `src/Attestor/StellaOps.Attestor.Envelope/` -- dedicated DSSE envelope library:
- `DsseEnvelope.cs` -- envelope model with payload and signatures
- `DsseSignature.cs` -- signature model with key ID and signature bytes
- `DsseEnvelopeSerializer.cs` -- JSON serialization with options (`DsseEnvelopeSerializationOptions.cs`, `DsseEnvelopeSerializationResult.cs`)
- `DssePreAuthenticationEncoding.cs` -- PAE (Pre-Authentication Encoding) per DSSE spec
- `DsseCompressionAlgorithm.cs` -- payload compression support
- `DsseDetachedPayloadReference.cs` -- detached payload references
- `EnvelopeSignatureService.cs` -- signing service with key management (`EnvelopeKey.cs`, `EnvelopeKeyIdCalculator.cs`, `EnvelopeSignature.cs`, `EnvelopeSignatureResult.cs`)
- **ProofChain Signing**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/` -- `ProofChainSigner.cs` (with `.Verification`), `IProofChainSigner.cs`, `DsseEnvelope.cs`, `DsseSignature.cs`, `SignatureVerificationResult.cs`, `SigningKeyProfile.cs`
- **Core Signing**: `StellaOps.Attestor.Core/Signing/DsseSigningService.cs`, `IAttestationSigningService.cs` -- core DSSE signing
- **Attestation Library**: `src/Attestor/StellaOps.Attestation/` -- `DsseHelper.cs`, `DsseVerifier.cs`, `DsseEnvelopeExtensions.cs`
- **Tests**: `StellaOps.Attestor.Envelope/__Tests/DsseEnvelopeSerializerTests.cs`, `EnvelopeSignatureServiceTests.cs`, `StellaOps.Attestation.Tests/DsseHelperTests.cs`, `DsseVerifierTests.cs`
## E2E Test Plan
- [ ] Create a DSSE envelope with a JSON payload via `EnvelopeSignatureService`, sign it, and verify the envelope contains the signature
- [ ] Serialize the envelope via `DsseEnvelopeSerializer` and deserialize it, verifying round-trip fidelity
- [ ] Verify the PAE (Pre-Authentication Encoding) matches the DSSE spec: `DSSEv1 <payloadType.length> <payloadType> <payload.length> <payload>`
- [ ] Sign an envelope via `ProofChainSigner` and verify via `ProofChainSigner.Verification`
- [ ] Sign an envelope via `DsseSigningService` in Core and verify via `DsseVerifier`
- [ ] Tamper with the payload after signing and verify signature verification fails
- [ ] Create an envelope with detached payload reference and verify the reference is correctly maintained
- [ ] Sign with multiple keys and verify each signature is independently verifiable

28
docs/features/unchecked/attestor/dsse-for-every-artifact.md Normal file
View File

@@ -0,0 +1,28 @@
# DSSE (Dead Simple Signing Envelope) for Every Artifact
## Module
Attestor
## Status
IMPLEMENTED
## Description
Comprehensive DSSE signing implementation across ProofChain, Envelope, and Spdx3 libraries with verification, pre-authentication encoding, and determinism tests.
## Implementation Details
- **Envelope Library**: `src/Attestor/StellaOps.Attestor.Envelope/` -- standalone DSSE envelope library with `DsseEnvelope`, `DsseSignature`, `DsseEnvelopeSerializer`, `DssePreAuthenticationEncoding`, `EnvelopeSignatureService`.
- **ProofChain DSSE**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/` -- `ProofChainSigner.cs` (with `.Verification`), `DsseEnvelope.cs`, `DsseSignature.cs`, `IProofChainSigner.cs`, `IProofChainKeyStore.cs`.
- **SPDX3 DSSE**: `__Libraries/StellaOps.Attestor.Spdx3/` -- `DsseSpdx3Signer.cs` (with `.Encoding`, `.SignAsync`, `.SignBuildProfile`, `.Verify`), `DsseSpdx3Envelope.cs`, `DsseSpdx3Signature.cs`, `IDsseSpdx3Signer.cs`.
- **BinaryDiff DSSE**: `__Libraries/StellaOps.Attestor.StandardPredicates/BinaryDiff/BinaryDiffDsseSigner.cs`, `BinaryDiffDsseVerifier.cs`.
- **Core DSSE**: `StellaOps.Attestor.Core/Signing/DsseSigningService.cs`, `DssePreAuthenticationEncoding.cs`.
- **Attestation DSSE**: `StellaOps.Attestation/DsseHelper.cs`, `DsseVerifier.cs`.
- **Determinism Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/Envelope/DsseEnvelopeDeterminismTests.cs`
## E2E Test Plan
- [ ] Sign an SBOM artifact via `DsseSpdx3Signer` and verify the DSSE envelope wraps the SPDX3 payload
- [ ] Sign a binary diff artifact via `BinaryDiffDsseSigner` and verify the envelope
- [ ] Sign a proof chain artifact via `ProofChainSigner` and verify the envelope
- [ ] Sign a core attestation via `DsseSigningService` and verify the envelope
- [ ] Verify each signed artifact type with its corresponding verifier
- [ ] Test determinism: sign the same payload twice and verify the PAE bytes are identical
- [ ] Verify cross-library compatibility: create an envelope with `EnvelopeSignatureService`, verify with `DsseVerifier`

31
docs/features/unchecked/attestor/dsse-in-toto-attestation-signing-and-verification.md Normal file
View File

@@ -0,0 +1,31 @@
# DSSE/In-Toto Attestation Signing and Verification
## Module
Attestor
## Status
IMPLEMENTED
## Description
Full DSSE envelope signing service supporting ECDSA P-256, Ed25519, and RSA-PSS. Includes in-toto predicate types for proof chains, SPDX3 build attestations, and verification workflows.
## Implementation Details
- **Signing Service**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/Signing/DsseSigningService.cs` -- core DSSE signing with multi-algorithm support.
- **Key Management**: `Signing/FileKeyProvider.cs` -- file-based key provider. `IAttestationSigningService.cs` -- signing interface. `AttestationSignRequest.cs`, `AttestationSignResult.cs` -- sign request/result.
- **Verification Report Signer**: `Signing/DsseVerificationReportSigner.cs`, `IVerificationReportSigner.cs` -- signs verification reports.
- **In-Toto Statements**: `__Libraries/StellaOps.Attestor.ProofChain/Statements/InTotoStatement.cs` -- base in-toto statement. Statement types: `EvidenceStatement`, `ReasoningStatement`, `VexVerdictStatement`, `ProofSpineStatement`, `SbomLinkageStatement`, `VerdictReceiptStatement`, `ReachabilityWitnessStatement`, `AIExplanationStatement`, etc.
- **Statement Builder**: `__Libraries/StellaOps.Attestor.ProofChain/Builders/StatementBuilder.cs` (with `.Extended`) -- fluent builder for in-toto statements. `IStatementBuilder.cs` -- interface.
- **In-Toto Core**: `StellaOps.Attestor.Core/InToto/` -- `InTotoLink.cs`, `InTotoLinkPredicate.cs`, `LinkBuilder.cs`, `LinkRecorder.cs`, `LayoutVerifier.cs`, `ArtifactDigests.cs` -- in-toto link and layout verification.
- **SPDX3 Signing**: `__Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.cs` (with `.SignAsync`, `.Verify`, `.SignBuildProfile`, `.Encoding`).
- **Signing Infrastructure**: `StellaOps.Attestor.Infrastructure/Signing/AttestorSigningService.cs`, `AttestorSigningKeyRegistry.cs`.
- **Tests**: `StellaOps.Attestor.Core.Tests/InToto/InTotoGoldenTests.cs`, `InTotoLinkTests.cs`, `LinkBuilderTests.cs`, `LayoutVerifierTests.cs`, `Signing/DssePreAuthenticationEncodingTests.cs`, `VerificationReportSignerTests.cs`
## E2E Test Plan
- [ ] Sign an in-toto statement via `DsseSigningService` with ECDSA P-256 key and verify the signature
- [ ] Sign with Ed25519 key and verify the signature
- [ ] Build an in-toto statement via `StatementBuilder` with evidence predicate and verify statement structure
- [ ] Create an in-toto link via `LinkBuilder` with materials and products, sign it, and verify
- [ ] Verify a layout via `LayoutVerifier` with correct link chain
- [ ] Sign an SPDX3 build attestation via `DsseSpdx3Signer` and verify
- [ ] Sign a verification report via `DsseVerificationReportSigner` and verify the signed report
- [ ] Run golden tests to verify signed attestation output matches known-good test vectors

29
docs/features/unchecked/attestor/dsse-in-toto-event-spine.md Normal file
View File

@@ -0,0 +1,29 @@
# DSSE + in-toto Event Spine (Attestation Pipeline)
## Module
Attestor
## Status
IMPLEMENTED
## Description
DSSE envelope signing and verification across the pipeline. Scanner emits policy decision and human approval attestations; Attestor ProofChain provides DSSE envelope/signature models and verification.
## Implementation Details
- **ProofSpine System**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Assembly/` -- `IProofSpineAssembler.cs`, `ProofSpineRequest.cs`, `ProofSpineResult.cs`, `ProofSpineSubject.cs`, `SpineVerificationCheck.cs`, `SpineVerificationResult.cs` -- assembles proof spines from multiple attestation events.
- **Proof Spine Statement**: `Statements/ProofSpineStatement.cs` -- in-toto statement for proof spine. `Predicates/ProofSpinePredicate.cs` -- spine predicate model.
- **Merkle Tree Assembly**: `Assembly/MerkleTree.cs` -- Merkle tree for spine root computation.
- **DSSE Signing**: `Signing/ProofChainSigner.cs` (with `.Verification`) signs spine attestations.
- **Policy Decision Predicate**: `Predicates/PolicyDecisionPredicate.cs`, `PolicyDecision.cs` -- policy decision attestation.
- **Pipeline**: `Pipeline/IProofChainPipeline.cs`, `ProofChainRequest.cs`, `ProofChainResult.cs`, `PipelineSubject.cs`, `RekorEntry.cs` -- proof chain pipeline processing.
- **Statement Builder**: `Builders/StatementBuilder.cs` (with `.Extended`) -- builds in-toto statements for pipeline events.
- **Tests**: `__Tests/StellaOps.Attestor.ProofChain.Tests/ProofSpineAssemblyIntegrationTests.cs`
## E2E Test Plan
- [ ] Assemble a proof spine from 5 attestation events via `IProofSpineAssembler` and verify the spine root hash aggregates all events
- [ ] Sign the proof spine via `ProofChainSigner` and verify the DSSE envelope
- [ ] Verify the spine via `SpineVerificationCheck` and confirm all constituent attestations are valid
- [ ] Create a `PolicyDecisionPredicate` for a pass/fail decision and include it in the spine
- [ ] Process a `ProofChainRequest` through the pipeline and verify a `ProofChainResult` is produced with Rekor entry
- [ ] Verify the Merkle tree root of the spine matches recomputation from individual event hashes
- [ ] Build in-toto statements for each pipeline event via `StatementBuilder` and verify correct predicate types

27
docs/features/unchecked/attestor/dsse-signed-path-witnesses.md Normal file
View File

@@ -0,0 +1,27 @@
# DSSE-Signed Path Witnesses
## Module
Attestor
## Status
IMPLEMENTED
## Description
Reachability witness payloads with path information and witness statements, plus path witness predicate type definitions.
## Implementation Details
- **Reachability Witness Payload**: `src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Statements/ReachabilityWitnessPayload.cs` (with `.Path` partial) -- witness payload with call-stack path information.
- **Witness Statement**: `Statements/ReachabilityWitnessStatement.cs` -- in-toto statement wrapping the witness payload.
- **Path Nodes**: `Statements/WitnessPathNode.cs` -- path node model. `WitnessCallPathNode.cs` -- call-stack path node with function/method details.
- **Witness Metadata**: `Statements/WitnessEvidenceMetadata.cs` -- metadata about evidence source. `WitnessGateInfo.cs` -- gate info for policy.
- **Predicate Types**: `src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Core/PathWitnessPredicateTypes.cs` -- predicate type URI constants.
- **DSSE Signing**: `__Libraries/StellaOps.Attestor.ProofChain/Signing/ProofChainSigner.cs` -- signs witness statements as DSSE envelopes.
- **Proof Emitter**: `StellaOps.Attestor.Core/IProofEmitter.cs` -- emits signed path witness proofs.
## E2E Test Plan
- [ ] Create a `ReachabilityWitnessPayload` with a 4-node call path, wrap in `ReachabilityWitnessStatement`, sign via `ProofChainSigner`, and verify DSSE envelope
- [ ] Verify the signed path witness via signature verification
- [ ] Tamper with a path node in the signed witness and verify verification fails
- [ ] Create path witnesses with different `PathWitnessPredicateTypes` and verify correct predicate type URIs
- [ ] Verify `WitnessEvidenceMetadata` captures the analysis tool that generated the path
- [ ] Create a path witness with `WitnessGateInfo` specifying policy thresholds and verify it serializes correctly

Some files were not shown because too many files have changed in this diff Show More